Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

Visualizing Security Analytics That Don't Stink

Data visualizations can make or break efforts in data-driven security

When it comes to sifting through an inordinate amount of security data in order to make informed decisions, success depends not just on how one slices and dices that data via algorithms and analysis. Equally important is how that data is eventually presented, whether it be to IT operations making daily decisions, IT leaders developing strategic initiatives or to higher level executives who hold the purse strings.

As with many other analytics programs, data visualization is more than producing pretty charts. Good graphical interpretation of data and an effective selection of data to tell the relevant stories can mean the difference between timely decision making or simply succumbing to an exercise in numerical futility.

"Data visualization is an important tool in security analytics because you often don't know exactly what you're looking for," says Dwayne Melancon, chief technology officer for Tripwire. "The human brain is very good at seeing anomalies in large groups of data and interacting with the data visually taps into that strength. After all, a lot of security is finding small, suspicious occurrences within a sea of 'normal' events -- and visualizations are a great way to do just that."

According to data scientists, effective data visualization starts first with choosing which numbers to tell the story. One effective means to offer digestible visualization is to look for analytical ways to reduce the dimensions of data, says Ram Keralapura, data scientist for Netskope, a cloud apps analytics and policy creation company.

"So how do we actually show information in a compact form?" Keralapura says. "One of the ways we do that is by collapsing multiple dimensions into a single dimension, or at least fewer dimensions, so the end user can more easily understand what's happening."

For example, Keralapura's company monitors dozens of different factors that go into how risky a cloud connection might be, such factors as the types of security certifications an organization might have, the auditing and notification policies they have in place, notification policies they have in place, and so on. Rather than just throwing that number over to customers in a massive table for every cloud connection possible, Netskope developed what it calls a Cloud Confidence Index, a number that rolls up each of those other points into one score for that data.

Obviously, that's just a first step to good visualization -- even more important is establishing effective graphical representation of a data set so that it is easier for a data user to sift through individual points in a glance than actually scanning through pages and pages of raw numbers or Excel spreadsheets.

"Human beings tend to be good at perceiving patterns, especially visually; we learn to recognize faces at a young age, for example, and then spend the rest of our lives seeing them in clouds, wood grain, burn patterns in toast, and so on," says Kevin O'Brien, enterprise solution architect for CloudLock. "What this reveals is that our brains are incredibly well-tuned toward this type of behavior along a specific sensory axis -- sight. By translating fairly esoteric text into visual information, we can tap into that 'rapid response' mechanism more readily and make decisions based on it."

Unfortunately, today many security tools tend to simply offer numbers in grid formats or spreadsheets, says Shawn Tiemann, solutions engineer for LockPath, explaining that running through a "pile of vulnerabilities" means you have to read through thousands of items.

"Visualization makes it more digestible and easier to consume so a CISO or director of security can make informed decisions about the business without losing 10 to 20 hours of their life going over nitty-gritty details of those items," he says.

One example of this is the traditional heat map method of visualization, says Keralapura, who explains that this can be useful for such tasks as monitoring source and destination IP addresses.

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

"If you're looking at total number of connections that they're using, a heat map is absolutely the right visualization in that context to be able to say, 'These are the heavy hitters, and these are the ones that exchange the most traffic and so on,'" he says.

Tiemann says he's also a fan of tree mapping, which allows a "true drill-down experience."

"Using that vulnerability security data as an example, you could start at a high level of how severe it is and then maybe click on high-ranking vulnerabilities and from there see what's new versus what's existing or drill into which scanner supplied the data and what business units those vulnerabilities exist in," he says. "With a tree map you can distill that information down to see where the problem exists geographically all the way down to which assets they exist in."

As security departments look for tools that can do the heavy lifting of translating constantly changing data into visualizations, some might buy tools built specifically for data analysis, such as an IBM Cognos or a Maltego. They could also work with other departments, such as a business analytics department that might already have access to these tools, and to data scientists who can tailor these tools for security applications. But, also, security departments should be leaning on their vendors to offer built-in visualization tools within their products, Tiemann says, explaining that they should not only look for good charting, but also for easy ways for the organization to get charting that is pumped out depending on the data user's role in the organization. That's because the type of data and how it is presented should change between the CEO, CIO, CISO, and IT operations staff.

But IT departments and security pros don't necessarily need to invest in expensive tools to get started with better security storytelling through visualizations. Sometimes if you're telling a story, particularly as you're pitching for more budget or a change of process to higher-ups it might pay to invest in the time to do some manual design of data visuals, says J.J. Thompson, CEO and managing director of Rook Consulting, who says he has gotten clients to make much quicker decisions about buying into projects or changing processes based on switching from multiple-slide PowerPoint decks during presentations into a single infographic-like one-pager that tells the same story in a graphical manner.

"What we've found is if we can forward one thing that someone can glance at and understand what's going on, what the value proposition is, and what next steps look like, that tends to get approved quickly," Thompson says. "It's not useful for everything, but it is useful for demonstrating progress in where you're at, for capabilities overviews or for spotting anomalies in data."

Thompson recommends that security practitioners look at sites like visual.ly for ideas of how infographics work and then search online for template tools to help build out simple visualizations. He and his team also invested in Adobe tools to make more sophisticated graphics.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
10/30/2013 | 4:13:45 PM
re: Visualizing Security Analytics That Don't Stink
Great topic that truly hits home. Being able to visualize security metrics is instrumental in telling the story to gain budget as you suggest. However, it is also helpful in telling the story throughout the end user education process. While users may not need as much depth, infographics are quite powerful in persuading and gaining buyin.

Peter Fretty, IDG blogger working on behalf of Sophos
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has be...
PUBLISHED: 2021-04-15
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to ...