Data Ingestion

Security data is collected from logs, network traffic, endpoints, cloud services, and external intelligence feeds. Common sources include firewalls, security information and event management (SIEM) platforms, intrusion detection systems (IDS), and malware analysis reports. These raw data points form the foundation of threat detection.

Normalization and Correlation

Raw security data comes in different formats from various sources. To make it useful, the data is structured and standardized. Correlation engines analyze events across different systems to identify relationships between suspicious activities. A login attempt from an unusual location might seem harmless alone, but when combined with other indicators like failed authentication attempts and unusual network access, it could reveal an ongoing attack.

Threat Detection and Anomaly Identification

The system continuously monitors activity, looking for deviations from normal behavior. Unusual authentication patterns, unexpected spikes in network traffic, lateral movement within a network, or unauthorized access attempts can signal a threat. By linking related activities, cyber threat analytics helps security teams identify attacks that would otherwise go unnoticed.

Threat Intelligence Enrichment

Open Threat Exchange (OTX) and other external intelligence sources provide real-time context for suspicious activity. Indicators of compromise (IOCs) such as known malicious IP addresses, domains, or file hashes can be cross-checked against internal data to confirm potential threats. This external context helps security teams distinguish between false alarms and real risks.

Risk Prioritization

Not all threats carry the same level of risk. Cyber threat analytics assigns risk scores based on factors like severity, potential impact, and correlation with known attack patterns. This prioritization allows security teams to focus on high-risk incidents instead of being overwhelmed by minor anomalies.

Incident Response and Mitigation

Once a threat is confirmed, security teams take action. This may involve blocking an IP address, isolating a compromised system, disabling an affected account, or launching a deeper investigation into the attack path. In some cases, automated response mechanisms trigger immediate defenses to prevent further damage.

Cyber threat analytics is a continuous process that adapts to evolving threats. By analyzing relationships between different activities, security teams can detect attacks earlier and respond faster, reducing the risk of serious security incidents. These capabilities make cyber threat analytics essential across various security functions. From incident response to fraud detection, organizations use it in different ways to strengthen their defenses.

Incident Detection and Response

Quickly identifying and responding to security incidents reduces damage and recovery time. Cyber threat analytics helps detect unauthorized access, malware infections, and suspicious activity in real time. By analyzing connections between network events, security teams can pinpoint the origin of an attack and take immediate action to contain it.

Threat Hunting

Rather than waiting for alerts, security teams can proactively search for threats. Cyber threat analytics helps identify suspicious patterns that might not trigger traditional security tools. Analysts can map attacker behaviors, uncover stealthy movements, and stop intrusions before they escalate.

Fraud Detection

Financial institutions and online services rely on cyber threat analytics to identify fraudulent activity. By tracking transactions, user behaviors, and account activity, security teams can detect account takeovers, payment fraud, and identity theft. Analytics helps spot unusual behavior, such as a sudden change in spending patterns or access from an unexpected location.

Insider Threat Monitoring

Not all threats come from external attackers. Employees or contractors with access to sensitive systems can pose security risks. Cyber threat analytics helps detect unauthorized data access, privilege abuse, and unusual login patterns that may indicate an insider threat.

Supply Chain Security

Organizations rely on third-party vendors, cloud providers, and supply chain partners, which expands the attack surface. Cyber threat analytics helps monitor external relationships, detect vulnerabilities in partner networks, and assess risks from compromised third-party systems.

Threat Intelligence Correlation

Integrating cyber threat analytics with external intelligence sources like Open Threat Exchange (OTX) improves detection capabilities. Security teams can cross-check internal security events against known threat indicators, identifying active threats faster and preventing attacks linked to global adversaries.

Network and Endpoint Security

By analyzing traffic patterns and endpoint activity, security teams can detect malware infections, command-and-control (C2) communications, and lateral movement within networks. Cyber threat analytics helps uncover coordinated attacks that involve multiple devices, making it easier to stop threats before they spread.

Cyber threat analytics enhances security operations by improving visibility, reducing investigation time, and enabling proactive defense strategies. Organizations that apply analytics effectively can detect threats earlier and prevent security incidents with greater accuracy. However, implementing and maintaining a robust cyber threat analytics program comes with its own set of challenges. Managing large volumes of security data, reducing false positives, and integrating intelligence sources are just a few obstacles security teams must overcome.

Data Overload

Organizations generate massive amounts of security data from logs, network traffic, endpoints, and cloud services. Sorting through this data to identify real threats can be overwhelming. Without efficient filtering and correlation, security teams may struggle to focus on high-risk events.

False Positives and Alert Fatigue

Analytics tools can generate alerts for activities that appear suspicious but are not actual threats. Too many false positives lead to alert fatigue, causing security teams to overlook critical warnings. Fine-tuning detection rules and improving correlation methods help reduce unnecessary alerts.

Lack of Skilled Professionals

Cyber threat analytics requires expertise in threat intelligence, security operations, and data analysis. The cybersecurity skills gap makes it difficult for organizations to find and retain professionals capable of interpreting and acting on analytics-driven insights.

Integration Complexity

Many organizations use multiple security tools, each generating its own set of logs and alerts. Integrating cyber threat analytics with existing systems, including SIEM platforms, endpoint detection and response (EDR), and threat intelligence feeds, can be complex and time-consuming. Poor integration leads to fragmented data and blind spots in security monitoring.

Evolving Threat Landscape

Attackers constantly refine their techniques, making it harder to rely on static detection methods. Cyber threat analytics must adapt to new attack patterns, malware variants, and tactics used by advanced persistent threats (APTs). Keeping up with evolving threats requires continuous monitoring and intelligence updates.

Privacy and Compliance Concerns

Security analytics often involves processing sensitive data, which raises privacy and regulatory challenges. Organizations must balance effective threat detection with compliance requirements related to data protection laws such as GDPR and CCPA. Ensuring proper data handling while maintaining strong security can be difficult.

Cost and Resource Constraints

Building and maintaining an effective cyber threat analytics program requires investment in infrastructure, tools, and personnel. Smaller organizations may struggle with budget limitations, making it harder to deploy advanced analytics solutions.

Overcoming these challenges requires a well-structured approach. Organizations must optimize data processing, refine detection techniques, integrate intelligence sources, and invest in skilled personnel to maximize the effectiveness of cyber threat analytics.

Why Use Graph Analytics?

Graph analytics shifts the focus from individual events to relationships between entities, making it easier to:

• Expose attack chains by mapping how threats spread across systems.
• Detect hidden links between compromised assets that may not appear suspicious on their own.
• Identify anomalies that deviate from normal patterns of interaction.
• Accelerate investigations by providing a visual and structured representation of threat activity.

How It Works

Security data is transformed into a graph where nodes represent entities like IP addresses, users, and domains, while edges define their interactions. This structure allows security teams to:

1. Build a network of relationships from security logs and external intelligence sources like Open Threat Exchange (OTX).
2. Detect patterns that match known attack behaviors or reveal suspicious anomalies.
3. Investigate threats visually to track an attacker’s movements and determine the full scope of an incident.

By shifting from log-based analysis to a graph-driven approach, security teams gain a clearer picture of complex threats.

Next, we introduce PuppyGraph, a tool designed to simplify cyber threat investigations using graph analytics.

Graph analytics using PuppyGraph

PuppyGraph is the first and only real time, zero-ETL graph query engine in the market, empowering data teams to query existing relational data stores as a unified graph model in under 10 minutes, bypassing traditional graph databases' cost, latency, and maintenance hurdles. 

With PuppyGraph, security analysts can model cybersecurity data as a graph, revealing relationships between threats, attack paths, and malicious entities. This approach enhances threat investigations by making it easier to detect patterns, uncover hidden connections, and analyze threats visually.

Next, we’ll walk through a hands-on demo using PuppyGraph to analyze real-world threat intelligence data from Open Threat Exchange (OTX).

Open Threat Exchange (OTX) Demo

This demo showcases real-time threat analysis using data from Open Threat Exchange (OTX), a global threat intelligence-sharing platform. The goal is to transform raw OTX threat intelligence into a graph model and analyze relationships between pulses and indicators of compromise (IOCs). According to the OTX FAQ, pulses provide a summary of the threat, related IOCs, details about targeted software, and other valuable insights that help detect and analyze potential threats.

The demo covers:

• Downloading threat intelligence data from OTX.
• Storing the data in PostgreSQL.
• Modeling the data as a graph in PuppyGraph.
• Querying relationships using Gremlin and Cypher.

docker compose up -d 

python3 -m venv myvenv  
source myvenv/bin/activate  
pip install psycopg2-binary 

cd ../OTX-Python-SDK  
pip install .  

docker exec -it postgres psql -h postgres -U postgres 

\d 

python data.py download  

python data.py import 

SELECT * FROM pulse LIMIT 5;

Modeling the Data as a Graph

• Log into PuppyGraph Web UI at http://localhost:8081 using:
  
  • Username: puppygraph
  • Password: puppygraph123
•  Upload the graph schema:
  
  • Navigate to Upload Graph Schema JSON.
  • Select schema.json and click Upload.

Querying Data with PuppyGraph

Navigate to the Query section in the PuppyGraph Web UI to run Gremlin or Cypher queries. 

• Use Gremlin Query for Gremlin queries with visualization (Cypher visualization is coming soon).
• Use Graph Notebook for Gremlin/Cypher queries.

Example Queries

Here are some example queries and you can see more in the repo.

Gremlin

Number of pulses:

g.V().hasLabel("pulse").count()

Max indicators linked to a pulse:

g.V().hasLabel("pulse").local(__.out("pulse_indicator").count()).max()

Top 10 pulses by indicator count:

g.V().hasLabel('pulse').as('p')
    .project('name', 'description', 'indicatorCount')
        .by('name')
        .by('description')
        .by(__.out('pulse_indicator').count())
    .order().by(select('indicatorCount'), desc)
    .limit(10)

Finds all indicator nodes with at least two incoming pulse_indicator edges and returns the corresponding paths as a subgraph:

g.V().hasLabel("indicator")
  .where(__.in("pulse_indicator").count().is(gte(2)))
  .in("pulse_indicator").path()

‍Cypher

Number of pulses:

MATCH (n:pulse) RETURN COUNT(n)

Max indicators linked to a pulse:

MATCH (p:pulse)
OPTIONAL MATCH (p)-[:pulse_indicator]->(i)
WITH p, COUNT(i) AS indicatorCount
RETURN max(indicatorCount) AS maxIndicatorCount

Top 10 pulses by indicator count:

MATCH (p:pulse)
OPTIONAL MATCH (p)-[:pulse_indicator]->(i)
WITH p, COUNT(i) AS indicatorCount
RETURN p.name, p.description, indicatorCount
ORDER BY indicatorCount DESC
LIMIT 10

Finds all indicator nodes with at least two incoming pulse_indicator edges and returns the corresponding paths as a subgraph:

MATCH (i:indicator)<-[:pulse_indicator]-(p:pulse)
WITH i, COUNT(p) AS pulseCount
WHERE pulseCount >= 2
MATCH path = (p)-[:pulse_indicator]->(i)
RETURN path

 docker compose down -v