In Visium’s newest podcast, Jesse Jones, Chief Architect at Visium Analytics and Joel Kelly, Director of Special Projects, joined us to provide an understanding on how TruContext™ enriches your Splunk processed data with an intuitive topological type view of the relationships amongst disparate data points.
Speaker 1: On behalf of Visium Analytics and Carahsoft, we would like to welcome you to today’s podcast focused around You Can’t Secure What You Can’t See – Apply TruContext™ to Your Splunk Data, where Jesse Jones, Chief Architect at Visium Analytics, and Joel Kelly, Director of Special Projects, will discuss how TruContext™ enriches your Splunk processed data with an intuitive topological type view of the relationships amongst disparate data points.
Joel Kelly: Good afternoon, everyone. My name is Joel Kelly. And I'm the Special Projects Lead for Visium technologies, the need to better utilize your data and protect your environment, it's common to us all. So I want to thank you all for joining, we didn't have a whole lot of runway in terms of time and getting folks around the campfire for this. So the fact that we have a really nice showing, again, from people across public and private sector, we're grateful for that. So thanks again for showing up. Jesse Jones, our Chief Architect will take you through TruContext™, powered by SI graph. And then finally, I will provide you with a little bit of info on how to price and configure in order to context. Alright, so what do we do? So Visium Technologies is a cybersecurity company. And if I had three seconds in an elevator, explain what we do I tell you that we, we essentially bring isolated data and events together, right, and we integrate that data with existing cyber tools. And then from there, we create an overall and a rather comprehensive picture for decision support, and situational awareness. MITRE Corporation, hopefully, many of you have heard of MITRE Corporation, they've developed a globally accessible cybersecurity knowledge base, which essentially provides usable guidance, specifically tactics and techniques used to secure environments known as attack framework. Essentially, we integrate the attack framework into TruContext™. Visium Technologies owns the exclusive rights to this framework, commonly referred to as SI graph, which is now what we call TruContext™. Hopefully, that, that makes sense to everyone. So without further ado, let's get into the technology a little bit. I'll hand it off to Jesse. And Jesse, take it away.
Jesse Jones: Thanks. Thanks for the intro. Yep. Morning, everyone, for those afternoon now, isn't it? Yeah. So just to get started here, we're talking a little bit about the challenge, right, what are we trying to solve here? Big issue we see across the industry. And regardless of where you're at government, civilian, you know, a commercial, what have you. And definitely, if you're in a medium sized organization, in larger organizations, you're getting inundated with cyber events, many times to the point to where it's overwhelming, and you really can't hire enough staff to kind of take care of it right to mitigate what you're seeing or even to properly discern, sometimes you know, whether or not you're tracking down the right things, or not, much of this can be kind of boiled down to noise in a sentence, right? You have so many duplicate events, duplicate information points, and so forth. And it's just all sort of jumbled into just a lot of data basically coming at you in your organization's and you're trying to decipher this here, even with, you know, the industry leading tools, right. So all just about any medium size, and large organizations for sure are going to have some sophisticated tool sets within their repertoire, right to address the various different you know, cyber considered cybersecurity concerns or events and AD scanning tools, you get your Sim tools such as Splunk, and others, right, just big data to such a swamp, even then it's still a bit sort of overwhelming, right? We see big organizations, whether they're commercial or government, right, they're still getting compromised, in the midst of all sophisticated to assess that we have. And one of the things that you end up having that becomes a missing factor is that context, many environments, they struggle with trying to apply context to say, the inundation or the voluminous data that that's coming their director direction. So we don't have context, she does spend a lot of time just trying to figure that data out even before you get to a point of prioritizing and making decisions, and so on and so forth. Right. So it's just a lot of kind of upfront leg work being done before you can start analysis. So one of the things that we're doing here, right, this challenge, we're providing a solution where you can see your day to day one, zero day, however you want to frame it. So inherently as part of our platform, as data is being ingested, whether it's through batch mode, or real time Kafka streaming mode, bottom line is you're going to be able to see your data. And when you see it, what that really means is that you can see the form of your data. Once you can see the form of your data, you're starting to get all sorts of context, right and helps you in so many different ways from being able to prioritize better utilize your resources, and so forth. So again, and this is all happening inherently almost kind of like a, I'm sure anyone that's listening to this may be familiar with just the data industry in general what ETL means right extract transform. Lowe, in a sense is almost an auto ETL inherently built into the tube. Because as we ingest too, we automatically render data in this particular way that you can actually see and understand in intuitively, alright, so and ultimately that's going to drive better decisions and so forth. But context is really the key to being able to pull out the signal from the high volume of noise that even consumers right in some of their home networks are saying, well we allow you to do is overlay context on everything. So whether you're taking discrete your favorite tools that you already have, in one thing that you're going to commonly find missing, generally, from tools in the market today in the cybersecurity ecosystem, in particular is something that gives you that context right out the gate, so you can start making quick and decisions that velocity, right, so you can take our capability in the way that we ingest and process data and apply some of our algorithms, you can take a day one, and just overlay it on just about any type of data set you can imagine. Right? And we're focusing on cybersecurity here. Alright. So and then once you apply that context, now, it becomes very intuitive, the data sets, even almost like whiteboard scenario, right? Right, with without deep understanding, if you will, can even understand the data, right. So this is again, it's very intuitive. And once the data is intuitive. Now, in essence, what you end up doing, I spoke to this on previous chart, you've automated that ETL process, in a sense. So now you reduce the burden on your staff, so you save time headcount, etc. And then within your organization's you're able to see all your assets and interrelations there, which ultimately, that's what it takes to see context is actually understanding the interrelations, right. So in essence, what we're providing here, and essentially, you could think of it as an enrichment engine, to any of your tools, existing tools, a complement to those existing tools, right. And also, for just data in general, we can pull in raw data, that's not even coming from another tool of estimate. So let's just level set a little bit on what graph is right graph technology, for those that may not be as familiar, I imagine most folks on this call, probably familiar with it. But we'll do this sort of quick intro, sort of session here. This is the essence of what we mean by seeing your data you're starting to see form, you can see topologies associated with your data. But the circles here with those are identified or as nodes in a graph in Angular, right in the graph, technology, sphere. And the vectors that you see are identified as relationships or edges, another this kind of use synonymously, but nodes and edges, and the node you can almost think of it as a noun, right? If you want to sort of boil it down to a reduce it to as simple as terms in a sense, right? And the vectors, those edges, those relationships, right, though, you can consider those your verbs. So really quick, right out the gate, this gets back to the intuitive point and how folks that just about any level can take a look at this and say, Man, I kind of got an understanding of what's going on. So for instance, and right now we're just using examples of people, right, say if you pull data from your LDAP system, or what have you, right, and we just want to see relationships between people. But these could be machines, right? They can be service endpoints, they can be network components, routers, switches, and so forth, right? Or any kind of asset or any kind of data point. But just to kind of get the sort of rudimentary kind of understanding across we're using people as an example. But say, if you had James and say, that’s encompasses of his compute endpoint systems, when you see James there and say James became compromised. What context means is now I don't just get to focus on discrete James and of itself, because many systems that tell you when a device is compromised, it is a vulnerability associated right through your scanning applications. But what you don't know out the gate is alright, what impact does that have on my broader enterprise, the broader system? So this view right here at a glance, day one, right there is already processed and rendered in this form? You're able to see James No, Sarah. Oh, and if, if so James is compromised. Now I got to be concerned about Sarah. And not only Sarah, I got to be concerned about Sam and Sandy and John and Linda, right, because they are just a couple of degrees of separation from there. So now you get this very powerful picture. I know, we all heard that word a graph tells or picture tells 1000 words, maybe a million words here, because you're saving so much processing associated with all that voluminous data, that noise that we talked about on previous charts, but now really, at a glance, you know, where to prioritize, therefore, you're going to get the most out of your people, your staff, so they're not busy trying to figure out what priorities they said, they know what they want, right out the gate. So that's sort of the gist, if you will, of the graph technology, the nodes, the relationships, slash edges, and how now you can see and this is what context me you can see those interrelationships and you know, the broader system impact or potential impacts you may have with a single individual vulnerability, let's say one of your scanning platforms could make you aware of, again, you get this context at site. Here's a bit on the architecture layout, you know, top level architecture view here. We can ingest, I would say as a universal ingestion engine, the way that the program ended systems are structured, right? We can pull from raw PCAP files, we can pull NetFlow data, we can pull cyber events from other tools, we can extrapolate traffic patterns from PCAP files. PCAP is packet capture files, like if you're using Wireshark shark or something like that, we can identify vulnerabilities we can pull directly from your NASA systems, right your vulnerability scanning systems, and effectively graph the data that we get from all these disparate data points into a single positive view, which we'll talk about in a moment as well. So in essence, pulling ingesting from anywhere within your enterprise, from any data point any other tool. So that's why it's such a compliment in to your existing cyber ecosystem, and your other tools throughout the space, right. And this is what mean by being able to lay contexts on any data, for that matter, right, so now you get this true composite view. And now you can ultimately, once you get a composite view, by ingesting from all these sources and graphing it all together with full context, all the interrelationships built in now you finally get the full story, you can see the full story of what's going down. And this is not just confined to the enterprise, either, we're going to touch on that in just a second when we look at it at a brief use case overlay or an overlay view of a composite graph. But one other point here I talked about in just a bit, but really some of that auto ETL capability, I spoke about the extract transform load that's happening during the transform phase of this architecture. And ultimately, the rendering likes getting done is sort of embedded in the analysis phase, right? And then you get your various different graphs of your choice really on how you want to view things that gets rendered in a very intuitive way. So that all can really understand what's going on within Enterprise in a bigger systemic impacts that might be under disguise as well.
Joel Kelly: Jesse, can I interrupt you just for a second? Could you list some minimum capabilities that an organization should have or acquire to best utilize TruContext™?
Jesse Jones: Yeah, an organization generally on the cybersecurity front, organizations may already have some tools and house, such as vulnerability scanners, threat analysis systems, do things like you may be subscribed to pro strike, you may have something like rapid seven expos as a scanner, you may have other sims right? Over sim such as Splunk, right? Security information, event management systems, so any of those type of components that are doing a certain amount of processing. But I'll be it without context yet. If you take use those as sources as feeder points into the system, here, we're going to, in essence, be able to enrich what you already have from those components, Eric, therefore get a fair amount more value out of what you're getting sort of output you get from those systems. Now with that said, and in essence, we could step into an organization without any of those tools. And we can start in from a greenfield perspective, where we're just pulling data off of your wire, we're pulling data from your routers and switches, and I'm talking more of a net centric system here. Or it could just be data from about your organization, right? It could be LDAP data about the people and locations and roles and different things, right. And we can overlay that on to your technology, infrastructure and technology assets. So the if the use case required would come into a Greenfield, there's a way to do that. And any organization is going to have ways that we can pull this raw data on the information of their environments, again, whether it's your LDAP, which could also means your active directory systems, or it could be your, just traffic on your networks, we can pull that in without actually requiring any other two as a feeder. But many times what we see if you have other tools that you're utilizing that we add a fair amount of value to that, because we're basically able to take the already processed data, and present it in a way where you can see context. So there's a few ways to skin a cat there. But I would say, you know, in the Splunk situation, right? You already have Splunk. Now we're going to add another level of value to your Splunk infrastructure by being able to render a context on top of Splunk intelligence and Splunk correlated data.
Joel Kelly: Thank you, Jesse. Can this be used as a standalone tool? In addition to an add on can you speak to the ability to detect and assess impact of any of these mainstream media data breaches like SolarWinds?
Jesse Jones: Yeah, it could be in a sense a standalone right? Where you have scenarios like SolarWinds, much of that probably would have been identified through your scanning systems, right, once that was identified vulnerability, that you know, became a CVE and so forth, right. So your scanning systems are picking that up. But in a case where you have certain traffic patterns through you know, some of the intelligent algorithms we have here we can pull data straight from your wire. Right and decipher some of those traffic patterns, right and render it in a in an effective graph, basically, and you're seeing context of traffic flows. And again, I'm speaking network centric here. And that's because part of the partially because this composite overlay view that I'll talk about in a second is more network centric. But in essence, in that sense, we can pull directly from your wire, you know, it's, obviously is not intended to be a one size fits all, there's always specialty areas, but there is room where this can come in, depends on the application, right, or the use case, and sort of perform in a greenfield environment just by pulling, you know, sort of traffic statistics and data from existing, you know, assets, right? Whether it be just pulling event log data from your Windows, or Linux or Mac platforms, right, we can take that data, and then we can actually construct it into a graph and provide meaningful insight there. So I sort of alluded to this a little bit on the previous question, but I guess the short answer is yes, it can function in that capacity as well. However, you know, there's not many organizations that don't already have some tools. So the big benefit we've seen at this point has been complementing existing tools within an ecosystem such as Splunk. With the context, right, so they've already done a fair amount of processing today with data now we can come in and provide this in a relationship view. With our platform, we've developed some intelligence where we can overlay datasets from different sources, even outside of your enterprise, for instance, like if you got to cloud space, right, generally, that's an extension of the enterprise. But there's still a different domain, where if you have just stuff out in the public domain, like there's many databases out there, that we can pull data in matter of fact, we may have done some of it, even in a demonstration here from IP data, basically a site that provides basically geolocation of IPS across the globe. And you got other data, maybe, if you have a CrowdStrike type service that's doing threat analysis, you know, basically, in a public space, we can pull data from there that says, cybersecurity infrastructure systems agency right for us, we can pull data from there as well from there to some of their databases. And then from that perspective, these vertex points in a sense, those are points where we can grab data from these different domains together and get you one single unified picture. Now you got the full story, right? So you can actually do root cause analysis here in our system has some intelligence to help with that as well. Right, and provide root cause analysis determination. So if I had a compromise, and within my data center, you know, if you sort of track in this, this sort of picture here, and I determine, you know, I looked at some of the threat identifiers, right, maybe some of the CVE material, and I was able to start to map that back to threat actors in through some of my public domain data. And just, I was able to map certain threat actors that align with the CVE, or attack framework, information, possibly right back to a particular known exploitation command center. So now I'm starting to see root cause analysis, some of my internal problems, because I get the full picture. And I see the relationships of all the different assets, no matter where they're coming from, as long as I can pull data in, right, again, I just graph those different data sources and create one composite view, I graph them at the sort of vertex points. And what we'll touch on is just a little bit in the demonstration as well, I got a similar view in the demonstration, we'll touch on just a little bit more, even though the demonstration is really intended to lay out just the structure of the platform and show a little bit of the capability there. So TruContext™, if you will, for Splunk. The point being is you can't secure what you can't see that sort of tag there. I mean, I think that says it all. In a sense, what we allow you to do through overlying context, is to provide form to your data, again, provide a form that you can see and recognize and understand and make intelligent decisions on and rapid decisions for that matter. So you know, Splunk has just vast amount of usage capability and value, right in intelligence. So we're able to take all that great work the Splunk is already doing. And now we're able to fill a small gap where there may live where there's not enough context. And we fill that gap with our capability through our integration of proven integration with Splunk. And now you can have more context, in context for that matter, depending on where you're pulling data from. And you really get the full picture something that you can take action on in real time, for that matter, again, full context. So once you get that sort of context for context, again, now you get this insight that you can just make confident decisions on you because you understand now you understand all the impacts across your system. To a certain extent, and ultimately, what that is doing is just adding higher fidelity, you know, to your data is, is, as I mentioned before an enrichment engine to your existing datasets. And ultimately, that starts to save time headcount, and so forth. Because again, especially the larger medium and large organizations, you really can't even hire yourself out of this quandary. Because there's just so much data. To a certain extent, if you don't have a good system to sort of effectively discern that data, you just don't have enough people to throw out the value of the data that might become an to make decisions. And these decisions are needed to be made in real time, basically, within hours, you know, you can find yourself at the end of a compromise, or some sort of a exploit. So you want to be able to see these pictures as narrative real time as possible. And here's just a further example of it, right? So you look at some of your traditional Splunk views. And this kind of gets back to the whole see your data in a forum, you got your dashboards, you obviously got somebody more of your raw data of views that you have off to the top left there. But once you apply overlay TruContext™ on top of Splunk, now you get to see a form, right, something that anyone can really understand, even without necessarily knowing what a CVE is, if he had some manager or director or executive, they still see that there's a relationship between that thing called a CVE and these other devices, right. But of course, most likely is going to have some idea of what those terms mean, at least even if they're not deep tech TTEC dive into them, right. But the bottom line is, now you can see a top logical form of your data in the respective relationships. So you know where to focus, you can see that CVE, that blue icon, there is a social associated with your LD AP server, I talked about that, or local file share, right? And then you can start to see from there, what are those things associated with, you know, the broader impacts, you can even see how you have a threat actor associated with a personal cloud storage device, which is connected to a regional laptop, and that laptop, obviously, if it has connection to your broader enterprise in some form, or fashion, there you go, you have other entry points, if you will, of possible compromise. And even in this example, right here, you can even briefly see that that threat actor is exfiltrating data from that personal cloud storage space. And also, you'll be able to compare that and determine, you know, hey, we have policies against that. So right out the gate, anyone can see that this laptop is violating one of our policies. So you don't you don't take deep dive or you don't need to have an engineer to generate a report to come back to you and tell you about it. Anyone can see this almost at a dashboard level. Because again, it's a whiteboard type view, that's very intuitive to just look at and understand what are these lines and relationships, these nodes and edges are interconnected. So at that point, again, and this is out the out the box, right, you see this out the box, once we ingest data, this is rendered in real time, these types of views, you get, at first glance, understanding intuitive understanding, therefore you can make these pinpoint priority decisions right away, you know, you have to prioritize maybe the laptop and a few other devices immediately to mitigate those because they have other relationships, they could maybe tap back into a command center for all for all right. So that's the gist. So that that's, that's really what you're getting with through context, when you add it to Splunk. You get all the valuable intelligence, but now you can actually see your data with the context and context.
Joel Kelly: So Jesse, we do have another question. What is the typical time to value for companies using TruContext™ or something similar to pull the data and get context to make decisions? What's a typical ramp up time?
Jesse Jones: Yeah, I would say, you know, obviously, it's like any, any tool, right? You got to introduce this to your enterprise. So you bring TruContext™, and we educate you on graph a bit more in detail, and understand your data sources, whether we're dealing with a greenfield or we're dealing with, which is the majority case, right? Did you have existing cyber tools that would become data source points for TruContext™? And that sense, is kind of an upfront assessment, just understanding the environment. But once we understand the environment, we have the data sources identified that particular enterprise may want to start with the point of value is the near real time obviously, you know, you set your system up, and then but once the system is set up, again, to your point, and or retrieving from all the appropriate data sources, because the ETL, all that sort of transform load is done automatically, and you're automatically or inherently seeing the TruContext™ graph view, right with all the relationships, the interrelationships. That's a near real time sort of thing. So I mean, you know, say a day right. Once the prerequisites are done, so you have your prerequisites the setup and then you’re seeing data in an understandable intuitive way, immediately, right? Because it's just a native inherent function of graph technology in general.
Joel Kelly: So Jesse, thank you again for that. Can alarms be set to trigger based off these relationships TruContext™ exposes?
Jesse Jones: Yeah, in essence, we can we could configure audible alarms, when there was a particular issue of concern. We configured the pulsating feature, right? That could be audible, if you wanted it to be.
Joel Kelly: Awesome. Can you configure the system to alert you to certain specified criteria? Or issues as they're happening?
Jesse Jones: Yes, you can. Yeah, it depends. How do you want to obviously, it gets into the details of what do you want to identify as what type of criteria and that sort of stuff but you can, and it can alert you effectively, you can even sort of tie it into corporate policy, right, from a NLP perspective, right, you can pull in kind of corporate policy type information. And that could be another level overlay of enrichment, right, as you're kind of going through, say, or TruContext™ is going through the data that's been ingested, you know, such as we talked about on that demonstration, right. And also, on the charts. You had a laptop and a regional office that was connected to a personal cloud storage that was being compromised. If we had sort of corporate policy information overlay. That could be another flag, you can see there is corporate policy number of 10. Violated so yeah, in essence, you can set certain violations to base based on whatever your criteria might be for your specific enterprise.
Joel Kelly: Thank you, Jesse. We do have a testimonial that basically if I were to sum this up, what TruContext™ really, really provides is, we kind of do away with the old way with charts and graphs. And we bring your data into kind of a quick contextualize view. Right? So I mean, that's my takeaway from this testimony. I don't personally I like reading word for word, but it is a testimonial from a CISO for the state of Delaware on TruContext™. I wanted to share that with you. Carahsoft is our distribution partner. So for more information, feel free to contact Carahsoft big thank you for everyone for joining us today. We hope it was we hope you got something from it. And we invite you to stay engaged with us we'd like to help you with your cybersecurity needs. Thanks, everyone.
Speaker 1: Thanks for listening. If you would like more information on how Carahsoft or Visium Analytics can assist your educational institution, please visit www.carahsoft.com or email us at visium@carahsoft.com. Thanks again for listening and have a great day!