As many of you are aware, I have spent quite a bit of time in Security Operations Centers (SOCs) over the course of my career. I remember one particular experience like it was yesterday. A high ranking executive came through for a whirlwind tour that literally lasted about 17 seconds. On her way out, she screamed, “I need more pictures on those big screens!”.
That experience both frustrated and infuriated me for many reasons. One of the main reasons why I was so bothered by it was how that particular experience so starkly illustrated the complete lack of understanding around visualization in the information security space. Everyone loves a pretty picture or a slick graph, but very rarely do these supposed visualizations add any real value to security operations. What do I mean by that somewhat provocative statement? Why is this the case? How can we produce visualizations that add value to security operations? I’d like to explore those questions in the remainder of this piece.
To understand why most visualizations provide so little value to security operations, we must first go back to fundamentals. In security, as I often note, that means coming back to the risks and threats to our respective organizations that we’re looking to mitigate, manage, and minimize. I have seen thousands of different attempts at visualization over the years. But how many of those mapped back to a risk register and visualized information that helped the organization understand whether or not one of those risks needed immediate attention? I can count the number of those types of visualizations on my fingers. Therein lies the crux of the issue.
In my experience, the mapping of a visualization back to the risks and threats we’re aiming to mitigate is something that many people struggle with. To my knowledge, a prime reason why so many attempts at visualization struggle to provide any real value to the organization and are most often relegated to the status of “eye candy”. But there is another way to leverage visualization in a way that adds value to security operations.
The human eye can often pictorially identify patterns, connections, and outliers in the data that would otherwise be very difficult to identify through other means. Visualization, which allows the human eye to pictorially scan the underlying data, can be a powerful tool when leveraged appropriately.
The purpose of visualization is most often to elicit patterns, connections, and outliers in the data using the human eye as the parsing and analysis mechanism. In order to properly elicit meaning from large enterprise data, one must first reduce the data to improve the signal-to-noise ratio. In other words, given the volume and variety of data in the modern enterprise, the level of noise is simply too high to allow for meaningful visualizations without first performing one or more data reductions. Trying to build pretty pictures and slick graphs on top of raw data, which is extremely diverse, voluminous, and completely unfocused, is simply not going to yield very good results.
How does one perform data reduction to produce a meaningful visualization that will be useful to security operations? Thinking about what specific question the data should be used to answer is a good first step. Or, to put it another way, it helps to build out a series of use cases that map back to our prioritized list of risks. From there, we can look to reduce the data in a way that will bring out the value we’re after and highlight the activity we’re looking for.
Let me try and illustrate this through a relatively simple and straightforward example. For our example, let's assume that we are trying to use visualization to understand to which countries we are sending Office documents. Before we can think about how to visualize the data, we need to reduce the data by asking it to return only the results that meet these criteria:
● That the data is leaving the network (as opposed to entering the network).
● That the data contains only sessions where the file type is one of the Office file types (e.g., Word, Excel, PowerPoint, etc.).
● That we have a mechanism in place to map the destination to a country (be it by domain, IP address, or ASN).
Once the data has been reduced, and the signal-to-noise ratio has been increased substantially, we can begin to consider which type of visualization fits best. Different questions asked of the data will necessitate different types of visualizations to elicit the patterns, connections, and outliers we are looking to delineate. In our example, a world map with some coloring or shading to indicate volume (be it number of sessions, number of bytes, or otherwise) probably fits best. Of course, different types of questions asked of the data will lend themselves to different types of visualizations. In some cases, multiple visualizations may work together to meet the desired goals. When completed, our visualization will provide us with a graphic that we can efficiently scan with our eye. The data reduction or reductions we performed allow us to assess quickly, with a specific context in mind, whether or not we can identify something requiring further investigation.
In my experience, and in the experience of many others as well, unfocused attempts at visualization over raw, unreduced data produce visualizations that are not particularly useful for security operations. Visualization does have tremendous potential to bring value to security operations when leveraged properly. Performing data reduction by posing specific, targeted, incisive queries into the data provides a good starting point for producing visualizations of high value to security operations. Get the picture?
Related Reading: Why CISOs Need Their Own Cockpits