Security Telemetry Evolution: The Year of the In-Memory Graph?

A fad or trend is any form of collective behavior that develops within a culture, a generation or social group in which a group of people enthusiastically follow an impulse for a short period. In cyber, every year there is at least one new fad with associated buzz words–but what’s different is that, unlike many fads, we don’t discard one and move onto the next, we tend to incrementally layer them. 

Over the last few years, Artificial Intelligence (AI) has become the big industry buzz phrase, and in the last 18 months Zero Trust (ZT) and now XDR have both followed (despite Zero Trust being over a decade old). The question is always what will be the next strategy, capability or methodology that will impact the industry? 

Well, the first week of June was the RSA conference in San Francisco–arguably the largest cybersecurity conference of the year–which includes one of my favorite sessions: the innovation sandbox. Here, ten early startup cybersecurity companies get to pitch their new solutions to industry stalwarts and venture capitalists. It is a great litmus test for what we might expect to see more of in the coming years. 

Not surprisingly, supply chain, cloud and API all featured heavily this year. This is a natural reflex to the threats and technology shifts we have seen over the last 12-24 months. 

What was interesting to me was that four of these ten new vendors with differing solutions all leveraged in-memory graphing capabilities to achieve their goals. If you look back over the last decade plus, the volume of cybersecurity telemetry generated has continued to explode, and the challenge is always that so much of it was proprietary, there was really no way to take all that telemetry and make meaningful decisions based on it.

If you have the time to read up on graph theory, at the simplest level “a graph is an abstract data type” that through “mathematical structures is used to model pairwise relations between objects;” in our context, that’s cybersecurity data. 

For a long time now we have used the notion of the kill chain or the anatomy of a breach to define the steps of an attack, and graphing gives us the ability to take cybersecurity event data and map a breach across an organisation’s entire network, effectively aggregating 1000’s of alerts into one event, a cyber attack.

Not all startups in the competition were threat detection or prevention tools, some were using graphing in other ways. As an example: one was using it to correlate all the asset artifacts we gather from multiple sources to better define a more accurate inventory of what a business has and therefore what it needs to protect. 

The key takeaway for me is that graphing seems set to become the next “key enabler” for cybersecurity. Helping to manage one of the key challenges we have faced for years to come, because too much unstructured event data relies on humans to aggregate and assimilate into something that has enough context to be actionable, and that dependence on humans means we cannot scale effectively or act on all this data in real-time.

Cybereason was founded 10 years ago, back in 2012, and the founders saw way back then the need to move away from detecting individual events to being able to map an entire malicious operation from end to end, complete with automated context and correlations baked-in, and so launched the product from day one using in-memory graphing to achieve this. 

Personally, for me this shift to using in-memory graphing in cyber is a great validation of why I joined the company: Cybereason was very early in embracing a new concept that could significantly change the way we look at and deal with cyber threats. 

Now, as we move into the second half of 2022, I’m excited to see just how many other cybersecurity vendors have just started to leverage the notion of in-memory graphing to deal with our cybersecurity big data problem. 

Only time will tell if this trend catches fire–but one thing that is clear is that data growth will continue to outpace human skills growth and capacity, so if we don’t embrace these new capabilities, the time required to identify and respond to cyber incidents will only become more protracted, which is certainly a concern as we are are only seeing the new threats iterate faster.


Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Greg Day
About the Author

Greg Day

Greg Day is a Vice President and Global Field CISO for Cybereason in EMEA. Prior to joining Cybereason, Greg held CSO and CTO positions with Palo Alto Networks, FireEye and Symantec. A respected thought leader and long-time advocate for stronger, more proactive cybersecurity, Greg has helped many law enforcement agencies improve detection of cybercriminal behavior. In addition, he previously taught malware forensics to agencies around the world and has worked in advisory capacities for the Council of Europe on cybercrime and the UK National Crime Agency. He currently serves on the Europol cyber security industry advisory board.