Blog

Super Computing 2018 After Action - a case study in threat hunting

Jan 31, 2019 11:01:46 AM / by Corey Thuen

For the 2018 Super Computing Conference (SC18, held in Dallas, TX), Gravwell provided our analytics platform to the Network Security team. These brave souls were responsible for cyber security on a network consisting of $52 million in contributed hardware, software, and services plus 4.02 Terabits per second of external capacity. This means that not only does the SCinet Network Security team need to protect SCinet from the world, it needs to protect the world from SCinet.

JJ3_9878

This is a challenging task but we were excited to give it a go and I think the results were spectacular. Jason Zurawski, SCinet chair for SC18, observed “The SCinet is purposely designed to facilitate experimentation for new hardware, software, and services. We are pleased to support emerging companies, such as Gravwell, as they pioneer new products and learn from performance of our network and the experience of our volunteers."


And learn we did! We learned that Gravwell is not only up to the task of handling these kinds of analytics, but we also did it on significantly less hardware than previous years. During the event, Gravwell ingested over 4.6 billion entries comprising over 1TB of data from a variety of sources. Analysts ran 4281 manual searches, 17325 automated searches, and viewed dashboards 1159 times during the two weeks in the Network Operations Center (NOC).


All those numbers seem great but what was the actual impact for the team? The SCinet Network Security team benefited in two major ways. First, a good chunk of tedious analysis and investigation was automated with Gravwell which freed up analysts to focus on threats that mattered. Secondly, investigations were expedited using Gravwell pre-built investigation dashboards and since insights are built off of actual data, not metadata translations, root-cause analysis is always possible.


At SC18, the SCinet Network Security team used Gravwell to stop continuous internet attacks automatically. With a good chunk of busy work removed, the team was freed up to better to identify, hunt, and respond to an actual attack that sought to bring the entire force of 4.02 Tb/s against an unsuspecting SaaS company. Thanks to a crack team and the power of Gravwell, the day was saved.

Read the full case study to follow along with the hunt process and see how it was done.

Get the SC18 Case Study

Book some time with the Gravwell team to implement this level of defense in your organization by emailing sales@gravwell.io or visiting https://www.gravwell.io/schedule-a-demo.

Topics: Case study

Corey Thuen

Written by Corey Thuen

Co-Founder of Gravwell