Visualizing Security Analytics That Don’t Stink
When it comes to sifting through an inordinate amount of security data in order to make informed decisions, success depends not just on how one slices and dices that data via algorithms and analysis. Equally important is how that data is eventually presented, whether it be to IT operations making daily decisions, IT leaders developing strategic initiatives or to higher level executives who hold the purse strings.
As with many other analytics programs, data visualization is more than producing pretty charts. Good graphical interpretation of data and an effective selection of data to tell the relevant stories can mean the difference between timely decision making or simply succumbing to an exercise in numerical futility.
“Data visualization is an important tool in security analytics, because you often don’t know exactly what you’re looking for,” says Dwayne Melancon, chief technology officer for Tripwire. “The human brain is very good at seeing anomalies in large groups of data, and interacting with the data visually taps into that strength. After all, a lot of security is finding small, suspicious occurrences within a sea of ‘normal’ events – and visualizations are a great way to do just that.”
According to data scientists, effective data visualization starts first with choosing which numbers to tell the story. One effective means to offer digestible visualization is to look for analytical ways to reduce the dimensions of data, says Ram Keralapura, data scientist for Netskope, a cloud apps analytics and policy creation company.
“So how do we actually show information in a compact form?” says Keralapura. “One of the ways we do that is by collapsing multiple dimensions into a single dimension or at least fewer dimensions so the end user can more easily understand what’s happening.”
For example, his company monitors dozens of different factors that go into how risky a cloud connection might be, including things like the types of security certifications an organization might have, the auditing policies they have in place, notification policies they have in place and so on. Rather than just throwing that number over to customers in a massive table for every cloud connection possible, it developed what it calls a Cloud Confidence Index, a number that rolls up each of those other points into one score for that data.
Obviously, that’s just a first step to good visualization—even more important is establishing effective graphical representation of a data set so that it is easier for a data user to sift through individual points in a glance than actually scanning through pages and pages of raw numbers or Excel spreadsheets.
“Human beings tend to be good at perceiving patterns, especially visually; we learn to recognize faces at a young age, for example, and then spend the rest of our lives seeing them in clouds, wood grain, burn patterns in toast, and so on,” says Kevin O’Brien, enterprise solution architect for CloudLock. “What this reveals is that our brains are incredibly well tuned towards this type of behavior along a specific sensory axis — sight. By translating fairly esoteric text into visual information, we can tap into that “rapid response” mechanism more readily, and make decisions based on it.”
Unfortunately today many security tools out there tend to simply offer numbers in grid formats or spreadsheets, says Shawn Tiemann, solutions engineer for LockPath, explaining that running through a “pile of vulnerabilities” means you’ve got to read through thousands of items.
“Visualization makes it more digestible and easier to consume so a CISO or director of security can make informed decisions about the business without losing 10 to 20 hours of their life going over little nitty gritty details of those items,” he says.
One example of this is the traditional heat map method of visualization, says Keralapura, who explains that this can be useful for something like monitoring source and destination IP addresses.
[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]
“If you’re looking at total number of connections that they’re using, a heat map is absolutely the right visualization in that context to be able to say, ‘these are the heavy hitters and these are the ones that exchange the most traffic and so on,'” he says.
Tiemann says he’s also a fan of tree mapping, which allows a “true drill-down experience.”
“Using that vulnerability security data as an example, you could start at a high level of how severe it is and then maybe click on high-ranking vulnerabilities and from there see what’s new versus what’s existing or drill into which scanner supplied the data and what business units those vulnerabilities exist in,” he says. “With a tree map you can distill that information down to see where the problem exists geographically all the way down to which assets they exist in.”
As security departments look for tools that can do the heavy lifting of translating constantly changing data into visualizations, some might buy tools built specifically for data analysis such as an IBM Cognos or a Maltego. The could also work with other departments such as a business analytics department that might already have access to these tools and to data scientists who can tailor these tools for security applications. But also, security departments should be leaning on their vendors to offer built in visualization tools within their products, Tiemann says, explaining that they should not only look for good charting but also for easy ways for the organization to get charting that is pumped out depending on the data user’s role in the organization. Because the type of data and how it is presented should change between the CEO, CIO, CISO and IT operations staff.
But IT departments and security pros don’t necessarily need to invest in expensive tools to get started with better security story telling through visualizations. Sometimes if you’re telling a story, particularly as you’re pitching for more budget or a change of process to higher-ups it might pay to invest in the time to do some manual design of data visuals, says J.J. Thompson, CEO and managing director of Rook Consulting, who says he’s gotten clients to make much quicker decisions about buying into projects or changing processes based on switching from multiple-slide PowerPoint decks during presentations into a single infographic-like one-pager that tells the same story in a graphical manner.
“What we’ve found is if we can forward one thing that someone can glance at and understand what’s going on, what the value proposition is and what next steps look like, that tends to get approved quickly,” he says. “It’s not useful for everything , but it is useful for demonstrating progress in where you’re at, for capabilities overviews or for spotting anomalies in data.”
He recommends that security practitioners look at sites like visual.ly for ideas of how infographics work and then search online for template tools to help build out simple visualizations. He and his team also invested in Adobe tools to make more sophisticated graphics.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.