Enterprise computing networks, in which a particular organization employs numerous computing devices that can communicate with one another and share data, are often complex. Adding to this complexity can be the fact that computer networks can constantly change, with machines added and removed, patches applied, applications installed, firewall rules changed, etc. Changes to the network can have substantial impacts on the security posture of the network and the enterprise that employs the network.
Often times, simply detecting a network intrusion may not be sufficient to effectively understand and visualize how the purported attack may impact a computer network and the organizational mission functions that depend on continued network operations. Often times, the obstacle to completely analyzing a computer network for vulnerabilities may not be due to a lack of information, but rather the ability to assemble disparate pieces of information into an overall analytic picture for situational awareness, optimal courses of action, and maintaining mission readiness. Security analysts and operators can be overwhelmed by a variety of consoles from multiple security analysis tools, with each tool providing only a limited view of one aspect of the overall space under consideration. Tools such as security information and event management (SIEM) can help by normalizing data and bringing it together under a common framework. But the data and events can still remain as individual pieces of information, rather than a comprehensive model of network-wide vulnerability paths, adversary activities, and potential mission impacts.
In order to allow security analysts to better assess computer network vulnerabilities, a system that can maximize the analysts' ability to discover potential threats and mission impacts, while minimizing the amount of time it takes to organize multiple and disparate data sources into meaningful relationships for decision making, can prove useful.