Cybersecurity & Graph Technology: An Excellent Fit

· 5 min read

We are becoming increasingly dependent on technology. Yet, without diligent attention paid to cybersecurity, technology is vulnerable to unauthorized access, change or even destruction. These vulnerabilities pose threats to our individual and collective safety, security and human and economic well-being.

Cybersecurity is therefore a vitally important global issue with substantial consequences that depends on safe, stable, and resilient security of our data, devices, and systems.

Equifax: The Breach

The latest major cybersecurity incident was publically revealed when Equifax, a US-based consumer credit reporting agency that assimilates and analyzes the financial health of more than 820 million consumers and 91 million businesses globally, announced a massive breach.

Characterized as one of the worst ever in terms of the quantity of people affected as well as the type of information released, the breach potentially impacts over 143 million U.S. consumers. The information stolen – consumers’ names, social security numbers, birth dates, addresses – is considered the Holy Grail of personal information, as it is commonly used not only to confirm a consumer’s identity but could potentially be used to gain access to additional personal information, such as financial accounts and medical records.

Cybersecurity == Big Data

To be successful, cybersecurity analysts – such as the ones analyzing the Equifax breach – have to capture, store, analyze and potentially share vast amounts of rapidly evolving information that often spans institutional, jurisdictional and international boundaries.

As this is non-trivial, cybersecurity has become a big data problem, requiring not only flexible and scalable data solutions but solutions that yield the right information in the right context at the right time.

Relationships == Insight

Cybersecurity and consumer financial data are strikingly similar to other problem domains, such as communication networks, supply chain management and social networks in that the underlying data is high-volume, unstructured, dynamic and highly related. While each of these attributes are certainly important, it is the last attribute – being highly related – that is of particular interest.

When looking beyond individual data points and attempting to understand the relationships between the data, significant insights can be drawn, with the realization that at times the value of the relationships may matter as much or even possibly more than the individual data points themselves.

In cybersecurity, it is the analysis of these connections/relationships that uncover an attack’s layers of deception and indirection. In consumer financial data, it is the analysis of these relationships that uncover fraud.

Connected Data == Graph Databases, Business Value

Real-world cybersecurity and consumer financial data are each incredibly complex, forming nested, interdependent and interconnected networks. Graph databases, such as Neo4j, the #1 platform for connected data, are an excellent match for this data, as they are designed and tailored specifically to this data’s characteristics.

Beyond their many technical advantages, graph databases also offer significant business value. While data is a business asset being able to properly utilize it is often a challenge.

Graph technology allows data to tell a story, efficiently connecting dots that otherwise may not be visible or understood, maximizing its value and enabling easier querying and analysis, which leads to more informed decisions. As data is enhanced – such as by adding new relationships between existing data – the inherent business value of the data increases.


Businesses and governments around the world are working toward better cybersecurity strategies.

MITRE, a US-based, not-for-profit organization that operates research and development centers sponsored by the US federal government, including the US Department of Homeland Security, is playing a leading role in advancing cybersecurity.


Recognizing that a common, foundational language was needed to exchange cyber threat intelligence (CTI), MITRE developed the Structured Threat Information Expression (STIX™) specification.

Envisioned to provide collaborative threat analysis, automated threat exchange and automated detection and response capabilities, STIX enables organizations to analyze and share CTI with one another in a consistent and machine-readable manner. With the goal of sharing the right information at the right time as well responding to attacks faster and more effectively, STIX allows security communities to better understand attacks of the past and present as well as to serve as a foundation to research and possibly even anticipate attacks of the future.

Understanding that the shape of cybersecurity data is an excellent fit, MITRE based STIX 2.x on graph database technology, citing that the approach allows for flexible, modular, structured and consistent representations of CTI.

This use of graph technology has been described as a game changer, moving the collection and analysis of CTI into the twenty-first century, such as employing the capability to add ad-hoc relationships as needed, mirroring the activity seen in the field, without having to have all system-allowable relationships predetermined and modeled at system design time and without significantly degrading system performance.

Future versions of STIX will take further advantage of graph database capabilities. While previous versions of STIX specified a concrete and finite set of domain entities and relationships, defining what types of reportable data was allowed (therefore forcing real-world data to conform to the specifications), producers of STIX 2.1 CTI will be free to create custom STIX entities and relationships of any type, allowing implementations to support data as seen in the wild. This capability, utilized at a large scale, is made feasible by the underlying use of graph technology.


GraphAware, specializing in advanced, graph and open source based software development, agrees with MITRE that graph technology is the foundation of cybersecurity’s future.

As the world’s leading Neo4j consultancy, GraphAware is currently performing research and development of a JVM-based STIX microservice, powered by the Neo4j database. With a private beta currently targeted for Q1 2018, more details will become available on GraphAware’s blog as details are released publicly.


Cybersecurity is a vitally important global issue with substantial consequences to our individual and collective safety, security, and human and economic well-being. 

Cybersecurity has become a big data problem, requiring advanced data solutions. Graph databases, such as Neo4j, are an excellent match for this data and are a key technology enabler for the needed collection, analysis and research.

The STIX specification, originally created by MITRE, is a major advance for the cybersecurity industry. GraphAware, as graph experts and the world’s leading Neo4j consultancy, is working to implement the STIX specification.

While cybersecurity is a perpetual game of cat and mouse, businesses and governments around the world are working toward better cybersecurity strategies. The emergence of big data and other leading edge technologies, including graph databases, significantly boost the capabilities of these strategies and moves us closer to the goal of providing maximum security of our data, devices, and systems.

Eric Spiegelberg