05:10 PM
Connect Directly

Visualizing Security Analytics That Don't Stink

Data visualizations can make or break efforts in data-driven security

When it comes to sifting through an inordinate amount of security data in order to make informed decisions, success depends not just on how one slices and dices that data via algorithms and analysis. Equally important is how that data is eventually presented, whether it be to IT operations making daily decisions, IT leaders developing strategic initiatives or to higher level executives who hold the purse strings.

As with many other analytics programs, data visualization is more than producing pretty charts. Good graphical interpretation of data and an effective selection of data to tell the relevant stories can mean the difference between timely decision making or simply succumbing to an exercise in numerical futility.

"Data visualization is an important tool in security analytics because you often don't know exactly what you're looking for," says Dwayne Melancon, chief technology officer for Tripwire. "The human brain is very good at seeing anomalies in large groups of data and interacting with the data visually taps into that strength. After all, a lot of security is finding small, suspicious occurrences within a sea of 'normal' events -- and visualizations are a great way to do just that."

According to data scientists, effective data visualization starts first with choosing which numbers to tell the story. One effective means to offer digestible visualization is to look for analytical ways to reduce the dimensions of data, says Ram Keralapura, data scientist for Netskope, a cloud apps analytics and policy creation company.

"So how do we actually show information in a compact form?" Keralapura says. "One of the ways we do that is by collapsing multiple dimensions into a single dimension, or at least fewer dimensions, so the end user can more easily understand what's happening."

For example, Keralapura's company monitors dozens of different factors that go into how risky a cloud connection might be, such factors as the types of security certifications an organization might have, the auditing and notification policies they have in place, notification policies they have in place, and so on. Rather than just throwing that number over to customers in a massive table for every cloud connection possible, Netskope developed what it calls a Cloud Confidence Index, a number that rolls up each of those other points into one score for that data.

Obviously, that's just a first step to good visualization -- even more important is establishing effective graphical representation of a data set so that it is easier for a data user to sift through individual points in a glance than actually scanning through pages and pages of raw numbers or Excel spreadsheets.

"Human beings tend to be good at perceiving patterns, especially visually; we learn to recognize faces at a young age, for example, and then spend the rest of our lives seeing them in clouds, wood grain, burn patterns in toast, and so on," says Kevin O'Brien, enterprise solution architect for CloudLock. "What this reveals is that our brains are incredibly well-tuned toward this type of behavior along a specific sensory axis -- sight. By translating fairly esoteric text into visual information, we can tap into that 'rapid response' mechanism more readily and make decisions based on it."

Unfortunately, today many security tools tend to simply offer numbers in grid formats or spreadsheets, says Shawn Tiemann, solutions engineer for LockPath, explaining that running through a "pile of vulnerabilities" means you have to read through thousands of items.

"Visualization makes it more digestible and easier to consume so a CISO or director of security can make informed decisions about the business without losing 10 to 20 hours of their life going over nitty-gritty details of those items," he says.

One example of this is the traditional heat map method of visualization, says Keralapura, who explains that this can be useful for such tasks as monitoring source and destination IP addresses.

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

"If you're looking at total number of connections that they're using, a heat map is absolutely the right visualization in that context to be able to say, 'These are the heavy hitters, and these are the ones that exchange the most traffic and so on,'" he says.

Tiemann says he's also a fan of tree mapping, which allows a "true drill-down experience."

"Using that vulnerability security data as an example, you could start at a high level of how severe it is and then maybe click on high-ranking vulnerabilities and from there see what's new versus what's existing or drill into which scanner supplied the data and what business units those vulnerabilities exist in," he says. "With a tree map you can distill that information down to see where the problem exists geographically all the way down to which assets they exist in."

As security departments look for tools that can do the heavy lifting of translating constantly changing data into visualizations, some might buy tools built specifically for data analysis, such as an IBM Cognos or a Maltego. They could also work with other departments, such as a business analytics department that might already have access to these tools, and to data scientists who can tailor these tools for security applications. But, also, security departments should be leaning on their vendors to offer built-in visualization tools within their products, Tiemann says, explaining that they should not only look for good charting, but also for easy ways for the organization to get charting that is pumped out depending on the data user's role in the organization. That's because the type of data and how it is presented should change between the CEO, CIO, CISO, and IT operations staff.

But IT departments and security pros don't necessarily need to invest in expensive tools to get started with better security storytelling through visualizations. Sometimes if you're telling a story, particularly as you're pitching for more budget or a change of process to higher-ups it might pay to invest in the time to do some manual design of data visuals, says J.J. Thompson, CEO and managing director of Rook Consulting, who says he has gotten clients to make much quicker decisions about buying into projects or changing processes based on switching from multiple-slide PowerPoint decks during presentations into a single infographic-like one-pager that tells the same story in a graphical manner.

"What we've found is if we can forward one thing that someone can glance at and understand what's going on, what the value proposition is, and what next steps look like, that tends to get approved quickly," Thompson says. "It's not useful for everything, but it is useful for demonstrating progress in where you're at, for capabilities overviews or for spotting anomalies in data."

Thompson recommends that security practitioners look at sites like for ideas of how infographics work and then search online for template tools to help build out simple visualizations. He and his team also invested in Adobe tools to make more sophisticated graphics.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Apprentice
10/30/2013 | 4:13:45 PM
re: Visualizing Security Analytics That Don't Stink
Great topic that truly hits home. Being able to visualize security metrics is instrumental in telling the story to gain budget as you suggest. However, it is also helpful in telling the story throughout the end user education process. While users may not need as much depth, infographics are quite powerful in persuading and gaining buyin.

Peter Fretty, IDG blogger working on behalf of Sophos
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio