Democratizing Graph-Based Security: Introducing Starbase

Security is a basic human right, but many security teams struggle to answer even seemingly basic questions about attack surface or blast radius due to poor visibility into relationships between assets. This knowledge is key to identifying security vulnerabilities, attack vectors, and the blast radius of compromise. Having an open-source utility that exposes these relationships can be a game changer for individuals and companies who need to have a better understanding of their current security operations.

In order to secure any system or service, there are three key informational requirements:

• Knowledge of the assets that you have
• Knowledge of the relationships between assets that you have
• Knowledge of what questions to ask about what you have

Humans think in abstract and complex questions that require deep knowledge to properly answer. Consider the following examples:

1. Which user accounts represent my employees?
2. Which of my employee user accounts have MFA disabled?
3. Which of my source control repositories are accessible to outside collaborators?

Questions have varying levels of complexity and therefore require varying levels of knowledge to answer. The JupiterOne team is very excited to launch a new open source tool that will assist security professionals, software developers, and IT practitioners expand their knowledge about what assets they have and provide deep insights into how these assets are valuable.

Introducing Starbase, An Open Source Solution for Everyone

Starbase collects assets and their relationships from services and systems to provide deep asset visibility. Starbase integrates with over 70+ different systems that range from cloud service providers, source control providers, IdPs, vulnerability management platforms, HR platforms, and much more! Starbase is backed by the open source graph database, Neo4j, and the Starbase data is visible and queryable from an intuitive graph view!

🙋 Why Starbase?

Starbase offers three key advantages:

1. Depth and breadth - Deep visibility from a breadth of external services and systems. Thousands of entities (vertices) and relationships (edges) are available out-of-the-box.
2. Uniform data model - The data that Starbase collects conforms to a uniform data model, making it easy to develop generic queries.
3. Easily extensible - Starbase graph integrations can be easily developed using our SDK!

🤔 Who is Starbase for?

Have you previously spent time in building and implementing Neo4j graphs for a single class of data into your workflows? Then you know how difficult it is to scale complex data systems and classes.

This solution was built for tinkers and builders who want to normalize their data modeling and understand the current state of their security operations. With Starbase, you can scale up your visualizations even more.

🤔 Interesting! Where do I start?

Starbase is quite easy to configure and execute! The high-level steps are as follows, and are described in detail in the Starbase README.

1. Install the prerequisites
2. Clone the Starbase project
3. Install dependencies
4. Obtain API credentials for each external system that you'd like to integrate
5. Configure Starbase
6. Launch! 🚀

✅ I’m ready…What can I do with Starbase?

In the following section, we will cover the following three scenarios:

1. Which user accounts represent my employees?
2. Which of my employee user accounts have MFA disabled?
3. Which of my source control repositories are accessible to outside collaborators?

The following three services are used in our example environment:

• Google Cloud
• Google Workspace
• GitHub

The following is an example starbase.yaml file that describes our configured use cases:

integrations:
  -
    name: graph-github
    instanceId: my-starbase-github-integration
    directory: ./.integrations/graph-github
    gitRemoteUrl: https://github.com/JupiterOne/graph-github.git
    config:
      GITHUB_APP_ID: 1234
      GITHUB_APP_LOCAL_PRIVATE_KEY_PATH: /Users/myuser/Downloads/starbase-test.2022-02-20.private-key.pem
      INSTALLATION_ID: 5678
storage:
  engine: neo4j
  config:
    username: neo4j
    password: devpass
    uri: bolt://localhost:7687

After we've executed Starbase, we're ready to explore our data!

Which user accounts represent my employees?

Starbase adheres to a uniform data model. Users from every platform are automatically classified as "User" and the original service provider information is maintained. This allows for abstract queries to be written, or very targeted queries to be written.

For example, using Neo4j's Cypher query language, we can easily find all users from Starbase: 

MATCH (user:User) RETURN user

‍

Which of my employee user accounts have MFA disabled?

In organizations where there are a vast number of platforms that employees have registered for, it is very difficult to audit critical security controls such as MFA enablement. Starbase integrations not only classify resources, but also ensure that entity properties adhere to a consistent data model.

MATCH (user:User { 
  mfaEnabled: false 
}) RETURN user

You can see in the above query, that one of the users does not have MFA enabled! We should go track that person down ...

Which of my source control repositories are accessible to outside collaborators?

As a company that is heavily invested in open source, the JupiterOne security team is very interested in which of our GitHub repositories are accessible by outside collaborators. This information can help us identify which users are over-privileged or which source control repositories need to be locked down.

MATCH (account:github_account)-[OWNS]->
  (repo:github_repo)-[ALLOWS]->
  (user:github_user {
    role:"OUTSIDE"
  })
RETURN account, repo, user

Cool! What else can I do?

Explore your data further! The video below walks through some of the examples above and provides a starting point to discover more with Starbase:

The Starbase source code and all of JupiterOne's existing graph integration projects are available to the open source community. All projects are available under the Mozilla Public License Version 2.0. It is our hope that this will be of use to the open source community and contribute to our overall belief that security is a basic right.

If you'd like to ask questions or discuss Starbase further, feel free to put in an issue on our GitHub page or chat with us on our community Slack #starbase channel. If you're not already in our community Slack, join here.

Last but certainly not least, huge shout out to my team Adam Pierson and Nick Dowmon for all the work they put into the engineering of Starbase!