Graph-Wide Scanning: Solving Advanced Cyber Threats

What if the biggest threats to your network aren't the ones you're looking for, but the ones hiding in plain sight for months? This is the core challenge of modern cybersecurity, and it's what we recently explored in a special episode of the GraphGeeks podcast. I had the pleasure of speaking with two industry experts: David Haglin, Chief Technology Officer and Cofounder at Rocketgraph, and David Hughes, a graph and AI expert and Principal Solution Architect at Enterprise Knowledge. Our discussion centered on a unique and powerful concept: graph-wide scanning—a concept that might seem counterintuitive even to seasoned graph pros but is essential for cybersecurity, especially as threats become more sophisticated. You can watch the full podcast recording above or read on for the highlights.

The Challenge of Modern Threats

In today's complex digital landscape, adversaries are cunning. They don't enter through obvious corridors; they hide in the noise. As David Haglin noted, you're often looking for something that represents a minuscule fraction of all data—sometimes as little as 0.003%. Traditional security tools, which rely on looking for known patterns or known entry points, are simply not comprehensive enough. These methods, often referred to as "graph lookup," only examine a small subset of the data, leaving vast areas—potentially 99% of the graph—unexplored.

This is especially problematic when dealing with Advanced Persistent Threats (APTs). As David Hughes explained, these threats are an "arms race," where attackers are constantly evolving their methods. An APT might infiltrate a network, sit and wait for months, and then execute a multi-stage attack like a lateral movement attack, which is notoriously difficult to detect with traditional tools.

Why Graph-Wide Scanning is the Answer

The solution, according to both experts, is graph-wide scanning. Imagine the difference between a security guard checking a few doors (known entry points) versus a drone that can surveil the entire warehouse. Unlike methods that start from a "seed set" or "anchor," graph-wide scanning is an approach that scans the entire graph to find a pattern, no matter where it is hiding. This is crucial for discovering long-tail events and "low signal" situations that are missed by other approaches.

This unique method requires a different way of thinking about performance. The traditional metric of "queries per second" becomes irrelevant. Instead, the focus is on a new set of metrics: completeness and traversed edges. David Hughes suggested that a more relevant measure might be "the distribution of the concepts in this data and the completeness of the edges that have been considered in the response."

In one incredible example, David Haglin shared a query on a 150 billion-edge graph that scanned a mind-boggling 123 trillion edges. It took time, but it found fewer than 4,000 answers. In a cybersecurity world, that’s "amazing" and highlights the power of finding the critical few from the overwhelming many.

The Role of AI and the Future of the Analyst

A core part of this evolution is the integration of AI. David Haglin explained that Rocketgraph baked GenAI into its user experience, moving away from complex languages like Cypher. This democratizes the process, allowing analysts with domain expertise, but not necessarily data science backgrounds, to interrogate and "play 20 questions" with their data using natural language. This leads to a powerful collaboration between humans and technology.

Looking ahead, both Davids agreed that the ultimate goal is to remove the cognitive burden from the analyst. The future they envision is a system where an analyst arrives at work to a summarized report, generated by an AI, that highlights only the most important events that have occurred since their last shift. This frees the analyst to do what they do best: focus on intelligence and investigation. As David Hughes stated, with new systems, analysts will "no longer have to be burdened with being data engineers and data scientists. They...will be able to focus on intelligence."