Hi, I’m Andréa, a Full-Stack Developer at Grapl Inc where I build new features and capabilities across our front and back-ends in order to help our customers catch attackers in their network, keeping their data safe.
When I’m not coding, I enjoy reading, walking in the Bay Area listening to podcasts, and being active. I’m happiest when I’m spending time outdoors or with my family and friends.
How We Catch Hackers with GraphQL
Grapl is taking a graph-based approach to security to build a next generation SIEM for defenders. To help their users find meaning in their data, Grapl has recently transitioned their REST API to GraphQL.
In this talk, Andrea explain why Grapl made the switch to GraphQL, what their experience was as a company that hadn’t used it before, and how they use GraphQL to help their customers explore their data more effectively to catch hackers in their networks.
I might sound uninformed but I would still like to clear my doubts since I am on this fun learning path.
When you mention hackers with GraphQL, do you marry any cyber security tools/techniques with Graph or is it something that an engineer can achieve with only GrapghQL?
We use GraphQL as a tool to power our product, Grapl, which helps catch attackers using a graph-based approach to security. Security Analysts can upload attack signatures, which are written using Python. We use the attack signatures to search our DGraph cluster for suspicious attacker behaviors. We then use GraphQL for investigations where the analysts want to pivot off of the suspicious graph for context.
The base knowledge to use our API is just an understanding of what data you want to explore, so anyone with development experience can use our API.
When it comes to using your data to track attacker behaviors, security knowledge is useful to understand what to look for in your data.
Thanks for a nice and engaging presentation! agree that working with graph data need to shift our mindset to think differently and in associations. Since I’m creating something similar for network traffic analysis, I am interested in your users’ experience so far. Were analysts or incident response team members capable of this mindset change?
Thanks for watching, your project sounds really interesting and I’m glad to hear that you’re taking a graph-based approach!
The mindset change was certainly a shift from what analysts are used to because they’re trained to think in events.
However, analysts are already building up graphs in their head and thinking in graphs naturally, so once they have the tool in front of them, investigations are intuitive and they’ve enjoyed their experience so far!
With anything, it takes time to adjust, but ultimately, using graphs to express attacker behavior saves time.
We used express-graphql with GraphQLHTTP to make our requests. On the front-end, we used fetch to make the request because it was important to us to learn the fundamentals of GraphQL first, keep it simple, and stick to technologies we knew. This is also why we didn’t use a third-party at first.
As far as GraphQL security concerns, it’s sometimes easier to abuse APIs written with GraphQL because they offer such a powerful API. Clients can get access to information they weren’t supposed to. In our case, we DGraph for authorization, and only allow for authenticated requests in our API.
agree that working with graph data need to shift our mindset to think differently and in associations. Since I’m creating something similar for network traffic analysis, I am interested in your users’ experience so far. Were analysts or incident response team members capable of this mindset change?