Gravwell strives to be an “ingest first and ask questions later” platform where users may not have a strong handle on exactly what they are ingesting or what questions may arise in the future. Gravwell is a truly unstructured ingest and search platform, right down to the bytes. The unstructured storage and query allows system administrators and DevOps engineers to move quickly without spending time normalizing data. Hunt operators and incident responders don’t have to worry about what can and cannot be ingested, nor make the difficult decision to throw data away. Whether ingesting text logs, network packet captures, or industrial control sensor (ICS) data, Gravwell allows users to ingest and query ground truth data in its native format.
Gravwell’s unique core competencies enables a wide variety of use cases but we’re focusing on some initial offerings that stem from founder backgrounds. In the security space, Gravwell has been used as a hunting platform and a way to enhance existing security personnel to overcome the cybersecurity shortage. The platform helps to sort through “alert overload”; customers of Gravwell can identify meaningful alerts and hunt all the way to the ground-truth root cause data. One practical example would be our Gravwell pre-built dashboards for Security Onion to analyze bro, suricata and snort, along with some custom packet capture analytics.
In the ICS space we recognize that the process is the crown jewels and your security operations center (SOC) should be process-aware. For all customers, we offer Gravwell integration services directly to ensure customer success. In ICS, this results in a solution built for each unique process that often starts 100% passive and moves into active once value and safety is demonstrated. Properly integrated Gravwell can combine elements of a Historian, HMI, and SIEM to provide holistic “ground truth” insights. When hunting a potential breach, it’s imperative to know if attackers controlled the process. For those interested in unifying the IT and OT SOCs, Gravwell is the only option that can handle all of the disparate data types. The cyber kill chain isn’t relegated to one area — phishing attacks against OT personnel has potential impact on the process network and Gravwell enables organizations to have complete and unerring visibility.