A Picture is Worth a Thousand Words — How to Read TruSTAR Graphs
At TruSTAR we are constantly trying to make incident exchange and collaboration easier for security operators and analysts. The top priority for security operators using the TruSTAR platform is to enrich incidents they are investigating and find relevant, actionable correlations with other reports.
To that effect our data science team has made intuitive graph visualizations and reporting a cornerstone of our platform. In this blog we discuss how to use TruSTAR’s graph capabilities for improving your analysis.
Reports and Indicators of Compromise (IoC)
Data submitted to TruSTAR is converted into a graph data model users can easily manipulate and explore (see image below). We call TruSTAR graphs “Constellations.” All of our data can be categorized into two node types : Report and IoC.
- A Report node represents information collected from a number of different sources, including user-reported incidents, and paid/open source threat data feeds. Report nodes are represented with the blue TruSTAR icon.
- An IoC node represents all indicators extracted from a specific Report. IoC nodes are represented with smaller icons specific to the data source.
So, effectively, you can say that a Report node contains one or more IoC nodes. When two different Report nodes contain the same indicators they are implicitly correlated to each other.
How To Read TruSTAR Graphs
In the above graph all the blue nodes are Reports submitted to TruSTAR. You can see that multiple Reports are connected through an IoC.
Intuitively this tells you that this cluster is enriching the Report in the center with the white star. We also pull information from other intelligence sources, like VirusTotal, Facebook ThreatExchange and number of OSINT feeds (see full list below). These are also shown on the graph if there is a correlation with any of these sources.
On the TruSTAR platform you can click on the various Reports and read the underlying data context to better understand these connections. We currently use 11 types of IoC’s to derive correlations among reports. In essence, if a report you submit has any of these 11 types of IoC’s our platform will be able to use them for correlation. Below is a full list of icons that are represented on our visualization.
Additional Analysis Capabilities
We also allow you to drill down on a specific Report node by double clicking on it. There is a timeline filter which allows you to specify the time period of interest for your analysis. You can delete specific nodes from the visualization and undo your actions.
We are just starting to scratch the surface when it comes to visualization analysis of security data. Over the next few months we will be rolling out more capabilities to drive intuitive visual analysis. Log into TruSTAR and try out what we have to offer today.
