We present a novel approach to protecting network assets of an enterprise by leveraging the power of large language models (LLM) and Graphs. LLM-powered agents compile threat intelligence from different sources like RSS, STIX feeds, security analyst reports and websites. The agents use patterns of planning and reflection to validate the threat intelligence and clearly identify the indicators of compromise (IoC) like malicious IP addresses, file hashes, and alarms in log files. The filtered intelligence is then mapped to a configuration management database (CMDB), which is represented as a Graph with nodes as computers and edges representing connection and flows. CMDB stored in the Neo4j graph database is used to query specific nodes and assign them a risk value based on threat intel. Using graph algorithms, we predict the propagation of risk in the network. Nodes that are closer to an affected node may be more susceptible to attack compared to nodes that are multiple hops away. Using node centrality, we calculate the risk for each node, and this metric helps plan mitigation steps for each node. Nodes at high risk can be prioritized first by IT teams to fix patches and monitor for further attacks. The holistic system enhances existing SIEM and SOAR systems with improved threat intelligence compilation, copilot for asking free-form questions, and graph data science for measuring risk and propagating across the network. The system will help reduce false positives in threat intelligence, provide a risk assessment view of network assets, and help provide recommendations based on past cases and knowledge bases like MI-TRE.
Dattaraj Rao, Venkateshwar Tyagi, Sadashiv Borkar
Get certified with GraphAcademy: https://dev.neo4j.com/learngraph
Neo4j AuraDB https://dev.neo4j.com/auradb
Knowledge Graph Builder https://dev.neo4j.com/KGBuilder
Neo4j GenAI https://dev.neo4j.com/graphrag