Data visualization techniques for cyber security analysts — Guest Blog by Cambridge Intelligence
IP information, server logs, communications records: cyber data is big, complex, and generated every millisecond.
Threat analysts sift through billions of alerts daily to determine what’s relevant and worth acting upon. It’s an overwhelming job and, if not done effectively, important alerts get missed, network vulnerabilities are exploited and post-attack forensics lack insight.
Later this month, I’m presenting at the Cyber & FinTech Summit in The Hague to explain why graph visualization tools should be part of your cyber solution.
A quick definition of graph visualization
Graph visualization can be a confusing term. It’s not the standard pie charts and bar graphs you’d normally find in a cyber dashboard. Instead, it’s the visualization of connections and relationships in data — sometimes called link analysis or network visualization. It’s a great way to piece together digital footprints — those individual data points created every time we send an email, visit a website or share data over a network.
Enhancing threat-detection tools with graph visualization
We can divide cyber threats into two categories: new threats and threats we’ve seen before.
Security Information and Event Management (SIEM) tools are great at matching attack signatures and flagging events that look like threats we’ve seen before. Thanks to AI and machine learning, they’re pretty good at uncovering new threats too.
But in complex or borderline scenarios, it’s a human that needs to make the important decisions. Graph visualization is the perfect tool to facilitate that.
Visual detection techniques help analysts make sense of alerts and events flagged up by automated systems. Visual investigationtechniques reveal new threats that would otherwise be missed by automated systems.
The insight from those investigations is then fed back into the automated detection rules, building more resilient and effective threat management processes.
We’ll take a look at a couple of examples of those techniques in action.
Visual threat detection
Here’s an example of how graph visualization lets analysts perform fast, accurate reviews of events and cases flagged by automated tools. This visualization of a fictional company’s IT network shows offices at different locations and the subnets between them.
In this example, we’ve matched a threat signature, meaning something has happened that appears similar to a previous malicious event. Someone is sharing unencrypted data between certain devices.
It’s now an analyst’s job to review that alert and decide what action needs to be taken — quickly.
We can dig into the simple network overview to see an intuitive and complete picture of what’s happening. In this case, a computer in Cambridge and a phone in Paris are sharing unencrypted communications. We can isolate those devices, and see which connected devices may have been impacted.
Visual threat investigation
Graph visualization helps analysts identify patterns and anomalies that conceal possible threats.
The human brain is good at recognizing patterns. Combined with a machine’s data processing capability, it’s possible to find anomalies that machines alone would miss. The example here is greatly simplified, but the approach can identify data breaches, find malware entry points, predict externals attacks and uncover vulnerabilities in an organization’s perimeter.
Here we’re looking at data representing user logins to an online portal. Each individual component represents an online account with links to IP addresses that have accessed it. We can see from the size of the many smaller components that most accounts have been accessed by 1–4 different IP addresses.
There are larger star-shaped components throughout the chart that stand out.
This tells us that these accounts have been accessed from an unusually high number of IP addresses. Let’s zoom into one.
In this example, the analyst should ask why this UK-registered user has logged into the system from more than 20 locations.
Sharing intelligence
Our final example shows how visualization makes it easier to summarize and communicate complex cyber threat intelligence to a wide audience.
We’ve visualized data from the Verizon Data Breach Investigations Report. It looks at thousands of data breaches around the world, examining their attackers, vectors, and victims.
Nodes represent attacked organizations and attackers, with links between them color-coded by vectors. We can identify trends using filters and the timeline component at the bottom of the chart:
From here, the user can interact intuitively with the chart to understand patterns, search for specific organizations or compare and contrast different vectors.
This simple, easy-to-read visualization is the ideal way to communicate millions of events in a single view. It can be shared and explored — a great way to communicate complex insight quickly.
Want to learn more?
At Cambridge Intelligence, we specialize in graph visualization. We’ve worked with hundreds of organizations worldwide, from the governments of the UK and Netherlands to McAfee and Symantec, helping them to understand the threats and risks hidden in complex connected data.
We’ll be at the Cyber & FinTech Summit in The Hague on 20 February 2020. I’ll look forward to seeing you there!
