Just as a picture says 1,000 words, a good data visualization can offer far more information about a large data set than raw numbers or outputs ever could. As security teams advance their security analytics practices, data visualization will play an important role in their day-to-day analysis. The following are some of the most effective ways organizations today are graphically crunching the numbers to gain a better understanding of their security postures.
Hierarchical tree maps can offer a spatially ordered, at-a-glance view of rankings that can prove particularly useful in areas like IP addresses and classes in object-oriented design. Color, size of boxes, and location on the tree map can all play a role in weighting an object's significance in ranking. According to Frank Dickson, analyst with Frost & Sullivan, WatchGuard offers a good example of this in its Dimension visibility product, which "filters traffic to highlight the most critical information on active users and their connections, with a pivot option to facilitate drill-down and filtering tasks."
Image Source: WatchGuard
Link charts can be as simple or as complex as necessary, but their purpose is to show the visual relationship between a number of different entities, which can be extremely useful in mapping networked relationships. In security analysis, link maps can translate to better understanding of fraudulent transactions and network monitoring.
Image Source: Raytheon Cyber Products Company
Graph pattern matching can offer an advanced way to spot trending behavior in a hurry. For example, in this visualization done by 21CT, malicious data exfiltration behavior is shown. External machines are depicted as flags, while the internal machines they've attempted to access are represented by blue terminals. This shows several weeks of activity, with lightning bolts standing for triggering alerts.
Image Source: 21ct
3D visualizations can prove useful in illustrating complicated attack relationships that would otherwise take researchers a long time to uncover. For example, researchers with OpenDNS say their use of 3D modeling allowed them to view relationships between Cryptolocker domains weeks before other researchers in order to better understand its ripple effect.
Image Source: OpenDNS
Timeline visualizations can provide a useful means for forensics experts to delve into an event and create a visual flow of event activities to better understand the progression of an event. While not specifically a security tool, per se, i2 Analyst Notebook ,pictured here, offers timeline features, along with a number of other useful visualization tools.
"We use i2 Analyst Notebook," says Dylan Evans of Reveal Digital Forensics and Security. "These tools are not IT-specific, but are suitable for any situation related to intelligence and analytical analysis."
Image Source: IBM
Map-based visualizations can prove useful for security operations centers and researchers seeking to pinpoint geographic attack patterns. One example of this is Arbor Networks' Attack Map, which was created by collaborating with Google Ideas to show an interactive visualization based on anonymous data from Arbor Networks' ATLAS global threat monitoring system to depict historical trends in DDoS attacks. Updated daily, it can be found at http://www.arbornetworks.com/asert/map/.
Image Source: Arbor Networks
Parallel Coordinate Plots can offer an effective means for crunching large data sets for network analysis. According to Greg Conti, associate professor and director of the Information Technology Operations Center at West Point, the method is "extremely powerful and well-suited for visualizing network data." Pictured here is a visualization based on network log data that was done by security visualization expert Raffael Marty.
Image Source: Raffy.ch
As cool as complex visualization techniques may be, don't discount the impact of standard charting. Simple methods like bar charts, box plots, and color-coded risk ranking can still play an important role in communicating data.
"Much of the work that gets a lot of attention is complex, interactive infographics or heatmaps or multiconnection, 20-variable graphs. I contend that simplicity is best," says Michael Roytman, data scientist for Risk IO. "Our most effective dashboarding techniques are as simple as they come -- bar charts and histograms, benchmarking line plots, and simple numerical scores for comparison."
Shown here is a vulnerability scoring system done by his firm.
Image Source: Risk IO
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio