Grapl - A Graph Platform for Detection and Response

Presented at BSidesLV 2019, Aug. 6, 2019, 3 p.m. (55 minutes)

Historically, detection has been performed on point anomalies - a log comes in, the log is analyzed, and a decision is made to alert based on that analysis. Similarly, investigations are based on searches over isolated events - an alert fires and you manually try to find related events based on ad-hoc queries.

Grapl aims to move beyond individual events as the fundamental abstraction and focus instead on relationships. Logs are parsed into graph representations and merged into a master graph representing all actions occurring across your environments. This approach allows for relationship-based detections and more efficient, ergonomic investigations.

Grapl handles the work of turning logs into subgraphs, orchestrating signatures executing across the graph, and automatically scoping investigations through expansion of the graph.

Presenters:

• Colin O'Brien   as Colin OBrien
  Colin began his career at Rapid7, working to take research from the data science team, build production quality services, and integrate them into the InsightIDR platform. Eventually, after working on IDR's detection team to build attacker signatures for its customers, Colin started working at Dropbox. Since working on the Detection and Response Team at Dropbox Colin has had the chance to dive deep into D&R work, learning to engage with the red team, and take on challenges that D&R teams face.

Similar Presentations:

• DerbyCon 3.0 All in the Family (2013) / My Security is a Graph – Your Arguement is Invalid
• 31C3 (2014) / Mining for Bugs with Graph Database Queries
• Kernelcon 2019 / Grapl - A Graph Analytics Platform for DFIR