Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

Visualizing Security Analytics That Don't Stink

Data visualizations can make or break efforts in data-driven security

When it comes to sifting through an inordinate amount of security data in order to make informed decisions, success depends not just on how one slices and dices that data via algorithms and analysis. Equally important is how that data is eventually presented, whether it be to IT operations making daily decisions, IT leaders developing strategic initiatives or to higher level executives who hold the purse strings.

As with many other analytics programs, data visualization is more than producing pretty charts. Good graphical interpretation of data and an effective selection of data to tell the relevant stories can mean the difference between timely decision making or simply succumbing to an exercise in numerical futility.

"Data visualization is an important tool in security analytics because you often don't know exactly what you're looking for," says Dwayne Melancon, chief technology officer for Tripwire. "The human brain is very good at seeing anomalies in large groups of data and interacting with the data visually taps into that strength. After all, a lot of security is finding small, suspicious occurrences within a sea of 'normal' events -- and visualizations are a great way to do just that."

According to data scientists, effective data visualization starts first with choosing which numbers to tell the story. One effective means to offer digestible visualization is to look for analytical ways to reduce the dimensions of data, says Ram Keralapura, data scientist for Netskope, a cloud apps analytics and policy creation company.

"So how do we actually show information in a compact form?" Keralapura says. "One of the ways we do that is by collapsing multiple dimensions into a single dimension, or at least fewer dimensions, so the end user can more easily understand what's happening."

For example, Keralapura's company monitors dozens of different factors that go into how risky a cloud connection might be, such factors as the types of security certifications an organization might have, the auditing and notification policies they have in place, notification policies they have in place, and so on. Rather than just throwing that number over to customers in a massive table for every cloud connection possible, Netskope developed what it calls a Cloud Confidence Index, a number that rolls up each of those other points into one score for that data.

Obviously, that's just a first step to good visualization -- even more important is establishing effective graphical representation of a data set so that it is easier for a data user to sift through individual points in a glance than actually scanning through pages and pages of raw numbers or Excel spreadsheets.

"Human beings tend to be good at perceiving patterns, especially visually; we learn to recognize faces at a young age, for example, and then spend the rest of our lives seeing them in clouds, wood grain, burn patterns in toast, and so on," says Kevin O'Brien, enterprise solution architect for CloudLock. "What this reveals is that our brains are incredibly well-tuned toward this type of behavior along a specific sensory axis -- sight. By translating fairly esoteric text into visual information, we can tap into that 'rapid response' mechanism more readily and make decisions based on it."

Unfortunately, today many security tools tend to simply offer numbers in grid formats or spreadsheets, says Shawn Tiemann, solutions engineer for LockPath, explaining that running through a "pile of vulnerabilities" means you have to read through thousands of items.

"Visualization makes it more digestible and easier to consume so a CISO or director of security can make informed decisions about the business without losing 10 to 20 hours of their life going over nitty-gritty details of those items," he says.

One example of this is the traditional heat map method of visualization, says Keralapura, who explains that this can be useful for such tasks as monitoring source and destination IP addresses.

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

"If you're looking at total number of connections that they're using, a heat map is absolutely the right visualization in that context to be able to say, 'These are the heavy hitters, and these are the ones that exchange the most traffic and so on,'" he says.

Tiemann says he's also a fan of tree mapping, which allows a "true drill-down experience."

"Using that vulnerability security data as an example, you could start at a high level of how severe it is and then maybe click on high-ranking vulnerabilities and from there see what's new versus what's existing or drill into which scanner supplied the data and what business units those vulnerabilities exist in," he says. "With a tree map you can distill that information down to see where the problem exists geographically all the way down to which assets they exist in."

As security departments look for tools that can do the heavy lifting of translating constantly changing data into visualizations, some might buy tools built specifically for data analysis, such as an IBM Cognos or a Maltego. They could also work with other departments, such as a business analytics department that might already have access to these tools, and to data scientists who can tailor these tools for security applications. But, also, security departments should be leaning on their vendors to offer built-in visualization tools within their products, Tiemann says, explaining that they should not only look for good charting, but also for easy ways for the organization to get charting that is pumped out depending on the data user's role in the organization. That's because the type of data and how it is presented should change between the CEO, CIO, CISO, and IT operations staff.

But IT departments and security pros don't necessarily need to invest in expensive tools to get started with better security storytelling through visualizations. Sometimes if you're telling a story, particularly as you're pitching for more budget or a change of process to higher-ups it might pay to invest in the time to do some manual design of data visuals, says J.J. Thompson, CEO and managing director of Rook Consulting, who says he has gotten clients to make much quicker decisions about buying into projects or changing processes based on switching from multiple-slide PowerPoint decks during presentations into a single infographic-like one-pager that tells the same story in a graphical manner.

"What we've found is if we can forward one thing that someone can glance at and understand what's going on, what the value proposition is, and what next steps look like, that tends to get approved quickly," Thompson says. "It's not useful for everything, but it is useful for demonstrating progress in where you're at, for capabilities overviews or for spotting anomalies in data."

Thompson recommends that security practitioners look at sites like visual.ly for ideas of how infographics work and then search online for template tools to help build out simple visualizations. He and his team also invested in Adobe tools to make more sophisticated graphics.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
10/30/2013 | 4:13:45 PM
re: Visualizing Security Analytics That Don't Stink
Great topic that truly hits home. Being able to visualize security metrics is instrumental in telling the story to gain budget as you suggest. However, it is also helpful in telling the story throughout the end user education process. While users may not need as much depth, infographics are quite powerful in persuading and gaining buyin.

Peter Fretty, IDG blogger working on behalf of Sophos
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...