Cyber Precog Packs Data Center Power in a Flyaway Kit

Each year, organizations become more dependent on technology, with 2020 setting all-time highs in IT device usage. With more connected devices and data, cyber threats are becoming more impactful, threatening, and real for many. Significant advancements have been made in hardening networks against adversaries, but most cyber intrusions are still detected long after the initial compromise, and remediation can take even longer.

When a network breach is detected, organizations typically move into incident response. Threat hunt teams are tasked with uncovering how the network was compromised, eliminating malicious actors, and hardening defenses to prevent future compromise. In many cases, these teams will bring a disconnected, small form-factor forensic platform to the fight, where they must analyze troves of data as quickly as possible to uncover the attack and mitigate increasing exposure risk. 

In these “flyaway kits,” teams bring many familiar tools with them, but they face the challenge of analyzing more data than their hardware is capable of processing under condensed timelines. This is most salient when these forensic kits must be brought out to the tactical edge.

In practice, much of the current flyaway kit market is occupied by products that aim to compress enterprise-scale technology into tactical and portable form factors without the appropriate system-level enhancements. Although central processing units (CPU) can execute individual instructions very quickly, they are not optimized to execute large-scale, repeated instructions in parallel. GPUs, by contrast, are optimized for this type of processing, giving them a decided edge over CPUs for many of the data processing tasks required during incident response missions. For example, a single NVIDIA V100 Tensor Core GPU can parse Windows Event Logs as fast as a five-node CPU-powered cluster, offering data center processing power in a much smaller package.

Using existing technology, operators must either (1) selectively analyze a portion of the data that they hope will prove relevant or (2) focus on comprehensive data collection, conducting deeper analysis after the hunt on larger systems. While each approach has its tradeoffs, neither option allows cyber operators to bring their best cyber tradecraft to the mission.

To better enable incident response teams, particularly those tasked with threat hunting at the tactical edge, Booz Allen has partnered with NVIDIA to develop Cyber Precog. Cyber Precog is a highly customized, GPU-enabled platform that integrates operationally honed cyber tooling, mission-relevant artificial intelligence (AI) models, and modular pipelines for rapid capability deployment. Built using the NVIDIA Morpheus framework, Cyber Precog offers an initial suite of core capabilities along with a flexible software fabric for developing, testing, and deploying new GPU-accelerated analytics during an incident response mission. By building all components around an open architecture, Cyber Precog gives agility back to the threat hunters while bringing the power of an enterprise cloud environment to the edge.

Out of the box, Cyber Precog offers a number of custom GPU-accelerated data pipelines to help teams analyze the data they have faster than ever before. This ensures preferred tools can access data assets as fast as possible during time-constrained hunt operations. 

As an exemplar capability out of the box, Cyber Precog’s NetFlow Aggregator demonstrates a 100x to 140x speedup (per processing unit) over existing CPU baselines, enabling immediate reconstruction of network maps and network communication profiles that are invaluable in early phases of incident response operations. Built across existing data pipelines are a number of operationally aligned AI solutions, all of which are centered on hunt-relevant cybersecurity use cases.

Cyber Precog aims to do more than provide GPU-accelerated capability: The platform’s analytic development interface offers preconfigured bindings into the NVIDIA Morpheus framework. This enables deeper integration with NVIDIA data processing units (DPU), where connections to GPU-enabled sensors allow for next-generation capabilities. Cyber Precog is designed to help make deployment of custom capabilities easier so that inexperienced GPU developers can rapidly drop new capabilities into optimized data pipelines. This allows for an unprecedented level of reactivity, as operators can efficiently deploy new capabilities on mission while customizing existing tools and data flows to that mission’s needs.

As a software fabric, Cyber Precog can be customized to run on any GPU-enabled hardware and optimized for an organization’s needs, including NVIDIA EGX servers. The platform is available for pilot, test and evaluation, and platform integration.