Graphs are about the connectedness of objects. Graph’s show us correlation and dependence between seemingly random objects as well as the degrees of freedom and separation from other objects. Social graphs (like Facebook, Twitter and LinkedIn) have had huge impact on society (both good and bad) and how we interact. Graphs allow us create predictive models that actually work.
Graphs are also key to understanding the “hidden lives” of the assets in an organization. Organizational assets are not standalone islands (e.g. as depicted in a CMDB) but rather an “asset graph” of asset attributes (addresses, unique IDs, promises, etc.), connectivity (ports, keys, auths, etc.) and syntax (protocols, formats). Just like a social graph, this “asset graph” is continuously evolving and is key to understanding and measuring an organization’s actual cyber risk.
True cyber risk analysis merges information from two graphs:
- a semantic knowledgebase of cyber security + compliance concepts and relationships
- An asset graph that provides a transparent, graph-connected model of the “hidden lives” of organizational assets
Combining these graphs will have the same impact on cyber risk as social graphs have had on society, enabling a model-based, policy-driven, mathematical analysis of actual cyber risk – instead of today’s focus on perceived risk.