Analytics
10/22/2013
05:10 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

Visualizing Security Analytics That Don't Stink

Data visualizations can make or break efforts in data-driven security

When it comes to sifting through an inordinate amount of security data in order to make informed decisions, success depends not just on how one slices and dices that data via algorithms and analysis. Equally important is how that data is eventually presented, whether it be to IT operations making daily decisions, IT leaders developing strategic initiatives or to higher level executives who hold the purse strings.

As with many other analytics programs, data visualization is more than producing pretty charts. Good graphical interpretation of data and an effective selection of data to tell the relevant stories can mean the difference between timely decision making or simply succumbing to an exercise in numerical futility.

"Data visualization is an important tool in security analytics because you often don't know exactly what you're looking for," says Dwayne Melancon, chief technology officer for Tripwire. "The human brain is very good at seeing anomalies in large groups of data and interacting with the data visually taps into that strength. After all, a lot of security is finding small, suspicious occurrences within a sea of 'normal' events -- and visualizations are a great way to do just that."

According to data scientists, effective data visualization starts first with choosing which numbers to tell the story. One effective means to offer digestible visualization is to look for analytical ways to reduce the dimensions of data, says Ram Keralapura, data scientist for Netskope, a cloud apps analytics and policy creation company.

"So how do we actually show information in a compact form?" Keralapura says. "One of the ways we do that is by collapsing multiple dimensions into a single dimension, or at least fewer dimensions, so the end user can more easily understand what's happening."

For example, Keralapura's company monitors dozens of different factors that go into how risky a cloud connection might be, such factors as the types of security certifications an organization might have, the auditing and notification policies they have in place, notification policies they have in place, and so on. Rather than just throwing that number over to customers in a massive table for every cloud connection possible, Netskope developed what it calls a Cloud Confidence Index, a number that rolls up each of those other points into one score for that data.

Obviously, that's just a first step to good visualization -- even more important is establishing effective graphical representation of a data set so that it is easier for a data user to sift through individual points in a glance than actually scanning through pages and pages of raw numbers or Excel spreadsheets.

"Human beings tend to be good at perceiving patterns, especially visually; we learn to recognize faces at a young age, for example, and then spend the rest of our lives seeing them in clouds, wood grain, burn patterns in toast, and so on," says Kevin O'Brien, enterprise solution architect for CloudLock. "What this reveals is that our brains are incredibly well-tuned toward this type of behavior along a specific sensory axis -- sight. By translating fairly esoteric text into visual information, we can tap into that 'rapid response' mechanism more readily and make decisions based on it."

Unfortunately, today many security tools tend to simply offer numbers in grid formats or spreadsheets, says Shawn Tiemann, solutions engineer for LockPath, explaining that running through a "pile of vulnerabilities" means you have to read through thousands of items.

"Visualization makes it more digestible and easier to consume so a CISO or director of security can make informed decisions about the business without losing 10 to 20 hours of their life going over nitty-gritty details of those items," he says.

One example of this is the traditional heat map method of visualization, says Keralapura, who explains that this can be useful for such tasks as monitoring source and destination IP addresses.

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

"If you're looking at total number of connections that they're using, a heat map is absolutely the right visualization in that context to be able to say, 'These are the heavy hitters, and these are the ones that exchange the most traffic and so on,'" he says.

Tiemann says he's also a fan of tree mapping, which allows a "true drill-down experience."

"Using that vulnerability security data as an example, you could start at a high level of how severe it is and then maybe click on high-ranking vulnerabilities and from there see what's new versus what's existing or drill into which scanner supplied the data and what business units those vulnerabilities exist in," he says. "With a tree map you can distill that information down to see where the problem exists geographically all the way down to which assets they exist in."

As security departments look for tools that can do the heavy lifting of translating constantly changing data into visualizations, some might buy tools built specifically for data analysis, such as an IBM Cognos or a Maltego. They could also work with other departments, such as a business analytics department that might already have access to these tools, and to data scientists who can tailor these tools for security applications. But, also, security departments should be leaning on their vendors to offer built-in visualization tools within their products, Tiemann says, explaining that they should not only look for good charting, but also for easy ways for the organization to get charting that is pumped out depending on the data user's role in the organization. That's because the type of data and how it is presented should change between the CEO, CIO, CISO, and IT operations staff.

But IT departments and security pros don't necessarily need to invest in expensive tools to get started with better security storytelling through visualizations. Sometimes if you're telling a story, particularly as you're pitching for more budget or a change of process to higher-ups it might pay to invest in the time to do some manual design of data visuals, says J.J. Thompson, CEO and managing director of Rook Consulting, who says he has gotten clients to make much quicker decisions about buying into projects or changing processes based on switching from multiple-slide PowerPoint decks during presentations into a single infographic-like one-pager that tells the same story in a graphical manner.

"What we've found is if we can forward one thing that someone can glance at and understand what's going on, what the value proposition is, and what next steps look like, that tends to get approved quickly," Thompson says. "It's not useful for everything, but it is useful for demonstrating progress in where you're at, for capabilities overviews or for spotting anomalies in data."

Thompson recommends that security practitioners look at sites like visual.ly for ideas of how infographics work and then search online for template tools to help build out simple visualizations. He and his team also invested in Adobe tools to make more sophisticated graphics.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/30/2013 | 4:13:45 PM
re: Visualizing Security Analytics That Don't Stink
Great topic that truly hits home. Being able to visualize security metrics is instrumental in telling the story to gain budget as you suggest. However, it is also helpful in telling the story throughout the end user education process. While users may not need as much depth, infographics are quite powerful in persuading and gaining buyin.

Peter Fretty, IDG blogger working on behalf of Sophos
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web