Black Hat insights: How Sonrai Security uses graph analytics to visualize, mitigate cloud exposures

Modern civilization revolves around inextricably intertwined relationships. This is why our financial markets rise and fall in lock step; why climate change is accelerating; and why a novel virus can so swiftly and pervasively encircle the planet.

Related: What it will take to truly secure data lakes

Complex relationships also come into play when it comes to operating modern business networks. A lack of understanding of these relationships is a big reason why cloud breaches happen.

The good news is that there is a very powerful, proven tool that can help companies decipher complex networking security relationships. I’m referring to graph databases, which support graph analytics.

With Black Hat USA 2021 just around the corner, I had a deep discussion about this with Eric Kedrosky, CISO and Director of Cloud Research at Sonrai Security. Based in New York City, Sonrai launched in late 2017 to help companies gain clarity about data and identity security-related relationships within their public cloud envrionments, including Amazon Web Services, Microsoft Azure, Google Cloud.

We discussed why graph databases and graph analytics are so well-suited to advancing cybersecurity – especially as digital transformation accelerates towards, and within, the cloud. Notably, Sonrai Security’s core platform applies graph analytics to the development and deployment of agile software mapping and operationalizing all identity and data trust relationships, a specific part of the larger security picture. But that’s getting ahead of this story. Here are the key takeaways:

Connection clarity

Anyone who has ever opened an Excel spreadsheet is familiar with relational databases. A relational database uses predefined tables to establish relationships between records; they work instantaneously and use scant memory.

By contrast, a graph database uses no predefined structures and each record, or “node,” can be queried individually. This enables graph analytics – the use of algorithms to identify and visually display the connections between one individual node to many other nodes or groups of nodes.

While relational databases are excellent for things like bookkeeping, graph databases are strong at highlighting all of the direct and indirect connections between individual nodes, which can be people, places or objects. Keep in mind that these relationships, referred to as node connections, would be forever obscured if we didn’t have graph databases and graph analytics to systematically correlate them.

“Graph analytics allow you to visually map the relationships between different data sources and the identities that have access to them” Kedrosky says. “You can see parallel paths at a single glance, and thereby identify patterns and also start to peel back the onion to figure out how to fix any problems.”

One example of this is how Chinese researchers used graph analytics to establish connections between people, locations and transportation systems in order to accurately model the spread of Covid 19, and subsequently to help support contact tracing.

Graph analytics, in point of fact, has been steadily advancing over the past couple decades. Today it is used widely in finance, science and medicine – and even by law enforcement to fight human trafficking, and by Big Tech to extend social networks and support behavior-driven advertising.

Crisis of identities

The one arena that’s a perfect fit for graph analytics – but where it has not yet been extensively leveraged – is in cloud security. Sonrai Security is in a vanguard of tech vendors now taking up that mantle. Sonrai is bringing graph database technology to bear on cloud security at a time when the migration from on-premises company data centers to the cloud is in full swing.

Agile software today is the product of DevOps, the framework for rapidly developing and deploying new apps. DevOps revolves around third-party developers mixing, matching and reusing modular “microservices” assembled inside of software “containers.” Each microservice and container, in turn, gets assigned a unique non-person identity.

What’s more, each and every API — the interface coding that enables data exchanges between all people and non-people identities — itself is a unique identity node. This is how cool new digital services are getting spun up at high velocity; and it’s a process with untold security blind spots.


“Companies are asking questions like, ‘What are my identities in the cloud? Who has access to what? What exactly can any identity do? Where is my data, or even what is my data?’” Kedrosky observes. “This shift did not happen like an earthquake, where everyone woke up one morning and the whole world had changed. It was more like incredibly complex, nuanced changes seeped in.”

Visualizing dependencies

As cloud migration has ramped up, it has become typical for enterprises to have dozens to hundreds of cloud accounts, thousands of cloud data stores and tens of thousands of people and non-people identities under their purview. This translates into an array of dependencies that can all too easily lead to over-permissioned identities, inadequate separation of duties and excessive access paths to critical data, Kedrosky points out.

Sonrai makes use of graph databases to detail every connection between all people and non-people identities and all the data in the cloud. This provides the basis to implement graph analytics to map out each and every iteration of human and non-human connection. Interactive graphic illustrations can then be conjured to visually highlight all access paths to sensitive data from a variety of perspectives.

By using graph analytics to systematically vet each identity’s trust relationship to other identities and data , an enterprise ultimately arrives at indisputable, granular illustrations of each and every access path to the company’s most sensitive, crown jewel data.

“There might be hundreds of people identities, and tens of thousands of non-people identities,” Kedrosky says. “One misconfiguration, in a chain of configurations, and a developer with low-level access on the development side of the house can gain full-level access to your most sensitive data on the production side of the house.”

The security flaw in this scenario should seem obvious: a bad actor needs only finagle access to one over-permissioned identity, human or non-human, to wreak havoc. It’s one thing to explain this exposure verbally or in a written report. Graph analytics enables the addition of evocative visual aids. And the right graphical image can be worth a thousand words.

“What this allows decision makers to do is visualize risk,” Kedrosky says. “When you’re talking at the senior management and board level, the discussion is about risk management; information security is just another chapter in the enterprise risk management book. And graph analytics allows them to map out their risk.”

Creating this risk management awareness well requires action. The interests and responsibilities of the C-suite are different from those of security which are different from those of developers — speaking in the same language to all of them results in speaking to none of them. Once risk is identified, trust relationships mapped, and the issue is understood, it’s the decision makers can really manage the risk by getting the right alert to the right team to take the right action.

World health officials very successfully used graph databases and graph analytics to map out the global spreading of Covid 19. It’s easy to see how this technology can be wielded proactively by enterprises to gain granular visibility of breach risks spreading far and wide through their hybrid networks.

This would give board members a fact-based perspective on which to base risk mitigation decisions. This makes a ton of sense and it’s encouraging to see it start to happen. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: