We are often asked, “What is the difference between Sift Security and Elastic Graph?” This is a great question that typically comes from folks who are already familiar with Elasticsearch [0] and Elastic Graph [1]. The answer boils down to the following: Elastic Graph is a tool for visualizing arbitrary aggregate search results. Elasticsearch is a Restful search that distributed, and has analytics engine that solves a number of use cases such as mapping from Python to ES REST endpoints. Sift Security uses a graph database to simplify and accelerate specific security use cases. In this blog post, we describe the advantages of each of these approaches, and conclude with a discussion of when to use each.
Advantages of Sift Security vs ElasticSearch and Elastic Graph
Query speed
Sift Security builds a property graph to represent security log events at ingestion time. We do this work at ingestion time for one reason: to speed up common investigative queries. When investigating alerts and incidents, analysts ask questions like:
- Did this user/host/IP address generate any other alerts?
- Was there any lateral movement from this host?
- What users were logged in to this host when this alert triggered?
- Were there any other entities affected by this attack?
Ease to work with security logs
Our cybersecurity experts have already done the hard work of defining the important entities and relationships for common security logs. This means that analysts don’t have to worry about data formats, key names, or the information conveyed in individual log lines. Our graph model defines the possible queries and surfaces this information to the user in an interactive visualization. The graph model presents enough information to the user for them to understand what happened, without getting bogged down in details.
The following screenshot illustrates this behavior. We have clicked on “administrator” in the graph. The right panel shows all the relationships we could add to the graph on the right side. Relationships are categorized, color coded, and have descriptive names. Clicking any of the blue relationship names will add the associated edges to the graph.
Graph analytics
Query speed isn’t just important for the analyst, it is also important for the analytics. Having a graph database enables Sift Security to quickly and efficiently find complex, multi-stage threats by automatically identifying threat clusters and other anomalous structures in the graph. These analytics can also be performed in the context of an investigation. Clicking an entity like Catheryn and choosing “Find Risks” in the graph will search the graph for any alerts nearby to Catheryn in the graph, even if they don’t explicitly involve Catherine. For example, this would also find alerts coming from hosts Catheryn has logged onto and IP addresses Catheryn has used.No limits on result set size
Whereas Elastic uses fixed-size aggregations to populate its graph visualization, Sift Security enables queries that return all of the possible results, such as “What processes did this user run within this time window?”. This is helpful for traversals that require a set intersection, such as “What processes did both of these users execute?”. Sift Security excels at displaying fine-grained, detailed, targeted information.Advantages of Elastic Graph
Flexibility
Elastic Graph has no pre-defined, fixed structure to the graph. Any two aggregatable fields in a document can be visualized as entities and relationships. This means that a user must specify the fields they want to visualize from a list of all the indexed fields.Focus on significance
Using significance measures helps investigations over large datasets. It is most useful when the goal is to find the elements from a set that best characterize an entity. For example, “What are the most significant processes executed on this host?” could help quickly identify what a host is used for. Fixed-size result sets enable users to quickly see and understand query results.Identifying bulk structures in unstructured data
Due to its fixed size queries, Elastic Graph excels as displaying bulk structure surrounding the results of multiple simultaneous significance queries. This approach is especially useful for tasks such as identifying similar texts based on which significant terms they have in common.Elasticsearch get your answers instantly
Elasticsearch can perform structured, unstructured, geo and metric searches.When to use Sift Security vs. Elastic Graph
Elastic Graph’s strength is in its flexibility. If you are a power Elasticsearch user who relies on aggregate queries to find meaning in your structured or unstructured data, Elastic Graph will help visualize and identify structure in those results. If you need the flexibility of visualizing arbitrary fields or unstructured data, and the answers to your questions are best defined by aggregate searches, then Elastic Graph is the right choice. For example, Elastic Graph can help you explore Shakespeare’s works or product sales data.
Sift Security is built with specific use cases in mind: security operations and incident response, both on premise and in the cloud. Our graph model, architecture, and analytics help to identify the most serious threats and enable analysts to rapidly investigate and resolve incidents. If you are looking to streamline your security ops, incident response, threat hunting, or cloud-ops practices, Sift Security is the right choice.
To get started with the documentation for Elasticsearch, Kibana, Logstash please visit this Elasticsearch tutorial
To learn more about the power of graph databases, see our whitepaper “Why Graph?”. This tutorial, similar to elastic search tutorials, can help you to understand how Sift Security can benefit your organization, email us at contact@siftsecurity.com.
[0] Elasticsearch. https://www.elastic.co/products/elasticsearch
[1] Elastic Graph. https://www.elastic.co/products/x-pack/graph
[2] “Why Graph”, Sift Security. https://siftsecurity.com/papers/Sift-Security-Why-Graph.html