Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Data Visualizations in
Cyber Security:
Still Home of the WOPR?
Confidential and Proprietary
Bsides Las Vegas 2017
Matthew ...
2
Who Am I?
MATTHEW PARK
 User Experience Lead
 Background in Big Data and
Video Games Design
 @muted_counts
 mpark@en...
3Confidential and Proprietary
4
Home of the
WOPR?
Hollywood
fiction at it’s
finest.
Learn DAMMIT LEARN
5
The Life of an
Actual SOC
Analyst
5 /70 Alerts 30 /250 Alerts 150 /8,173 Alerts
Raffael Marty
Author of Applied
Security Visualization
“The general problem plaguing security
visualizations today…they ar...
7
Comfort Zones
Example
Where analysts
tends to lean
towards
8
Comfort Zones
Example
How visualizations
can find that
needle in the
haystack
Let’s Talk
Attack
Timelines
How Amazing is WarGames?
The General Problems with
Visualizations in Security
Let’s Talk Attac...
10
Three Stages
Discovery
Confirming/disproving biases,
understanding our users, capturing
organizational workflows
Concep...
11
Discovery
Phase
Definition and
Recognizing our
Biases
Experience Time Differentiation
• Lack of security
expertise
• La...
12
User-centric Design Study
 GOAL: Capture team dynamics and worker roles within security
organization to identify chall...
13
 Have little to no prior experience (average of 1 year)
in the cyber security space. First line of defense in a
Securi...
Findings: Day in Life of a Security Analyst
More
Variables
Increase Working
Memory
Represent
Time
Facilitate
Discovery
Lac...
15
Concept
Phase
Design
Requirements
1. Visualizations should be used a tool
to enhance the typical analyst
workflow by pr...
16
Concept Phase
Foundations of Visualizations: Ben Shneiderman’s Information seeking mantra
1. Overview First 2. Zoom and...
17
Prototyping: Temporal Structures
Ward Shelley
Addendum of Alfred
Barr Pt 2
“…I like to present narratives with sprawling information-rich
panoramas. Yet th...
19
Prototyping: Spatio-Temporal Structures
Existence Changes: Changes in instant events, such as the appearing or disappea...
20
Prototyping: Spatio-Temporal Structures
21
Prototyping: Spatio-Temporal Structures
22
Prototyping: Spatio-Temporal Structures
23
Prototyping: Spatio-Temporal Structures
24
Prototyping: Spatio-Temporal Structures
25
Looking
Forward
The only path is
forward
• Adding workflow enhancements:
Pivoting/Collaboration
• More user testing and...
Thank You
Contact:
mpark@endgame.com @muted_counts
Upcoming SlideShare
Loading in …5
×

of

Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 1 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 2 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 3 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 4 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 5 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 6 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 7 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 8 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 9 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 10 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 11 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 12 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 13 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 14 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 15 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 16 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 17 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 18 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 19 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 20 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 21 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 22 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 23 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 24 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 25 Data Visualizations in Cyber Security: Still Home of the WOPR? Slide 26
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Data Visualizations in Cyber Security: Still Home of the WOPR?

Download to read offline

Visualization of security data has not advanced significantly since the days of the WOPR in War Games. Other tech industries have embraced the role of modern user interfaces to facilitate and expedite data search, analysis and discovery, which has significantly helped users in those industries gain insights from a big data environment. In contrast, the security industry prefers to relegate everyone into command line prompts and clunky interfaces with minimal functionality and an inability to scale to the volume, velocity, and variety of security data. I’ll address the core challenges and impact of the industry’s failure to take data visualization and user experience seriously, and provide recommendations on key areas that would most benefit from modern data visualization. Through the use of attack timelines, I’ll demonstrate how we, as an industry, must move beyond familiar visualization conventions (that tend to break at scale) and provide functional data visualization that is usable for analysts and operators across all levels of expertise.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Data Visualizations in Cyber Security: Still Home of the WOPR?

  1. 1. Data Visualizations in Cyber Security: Still Home of the WOPR? Confidential and Proprietary Bsides Las Vegas 2017 Matthew Park
  2. 2. 2 Who Am I? MATTHEW PARK  User Experience Lead  Background in Big Data and Video Games Design  @muted_counts  mpark@endgame.com
  3. 3. 3Confidential and Proprietary
  4. 4. 4 Home of the WOPR? Hollywood fiction at it’s finest. Learn DAMMIT LEARN
  5. 5. 5 The Life of an Actual SOC Analyst 5 /70 Alerts 30 /250 Alerts 150 /8,173 Alerts
  6. 6. Raffael Marty Author of Applied Security Visualization “The general problem plaguing security visualizations today…they are either the work of designers with no background in security, or of security professionals who don’t understand data visualizations.”
  7. 7. 7 Comfort Zones Example Where analysts tends to lean towards
  8. 8. 8 Comfort Zones Example How visualizations can find that needle in the haystack
  9. 9. Let’s Talk Attack Timelines How Amazing is WarGames? The General Problems with Visualizations in Security Let’s Talk Attack Timelines Discovery / Recognizing our Biases / User Testing Persona Creation / Design Requirements Concepting / Basics of Design Structures Prototyping / Looking Ahead End of the appetizer, time for the entrée.
  10. 10. 10 Three Stages Discovery Confirming/disproving biases, understanding our users, capturing organizational workflows Concept Creating a basic foundation from known design patterns, Creating new design requirements from our users Prototyping and User Testing Feature creation and taking it back into the ‘wild’ for testing User-Centric Design
  11. 11. 11 Discovery Phase Definition and Recognizing our Biases Experience Time Differentiation • Lack of security expertise • Lack of platform domain experience • Limited time to review alerts and incidents • Forced to make informed decisions quickly • Forces conformity • Requires level of expertise to extract value
  12. 12. 12 User-centric Design Study  GOAL: Capture team dynamics and worker roles within security organization to identify challenges common across security teams User Group Team Type Environment Collection Method A Traditional SOC Individuals Day-to-day use User interviews B Novice Training Team Mock Scenario Side-by-side monitoring, Retrospective & User interviews C Internal Red vs. Blue Mock Scenario Mirrored Scenario as User Group B
  13. 13. 13  Have little to no prior experience (average of 1 year) in the cyber security space. First line of defense in a Security Operations Center.  Main responsibility is to initially triage alerts and determine if escalation (to higher tiered) is required.  Primarily rely on a platform’s GUI. Tier 1 Analyst Tier 3 Analyst Forensic Hunter  Intimately understand network and platform architecture.  Seen as domain experts on the SOC team and more comfortable working through the command line.  Investigates escalated alerts, and determine root causes and extent to remediate problems.  Expert in EDR platforms and sophisticated investigation tools  Uses command line and scripting languages to bypass UI and collect large data feeds using 3rd party APIs. SOC Manager  Skilled security practitioners, not necessarily subject matter experts.  Extensive management experience, oversees day-to-day ops.  Set schedules, assigns prioritization, generates reports. Findings: Security Work Roles
  14. 14. Findings: Day in Life of a Security Analyst More Variables Increase Working Memory Represent Time Facilitate Discovery Lack of Expertise Lack of Time 14
  15. 15. 15 Concept Phase Design Requirements 1. Visualizations should be used a tool to enhance the typical analyst workflow by providing high to low-level visibility and context to granular data. 2. Visualizations should be used as a tool for collaboration or reporting.
  16. 16. 16 Concept Phase Foundations of Visualizations: Ben Shneiderman’s Information seeking mantra 1. Overview First 2. Zoom and Filter 3. Details on Demand • Should guide the user them to other parts of the product for further exploration. • The overview should summarize the overarching story from the entire data set without getting into the minor details. • Aim to provide the user with plenty of control for zooming and filtering data from the overview • Extremely important for complex visualizations (ie. attack timelines) – The Zoom and Filter is the driving mechanism for organization to your user. • This third layer of data would be less visual, and more text-heavy with a focus on accurate information rather than trends. • Bring them as close as possible to the raw data, and equip them to find what they started out looking for.
  17. 17. 17 Prototyping: Temporal Structures
  18. 18. Ward Shelley Addendum of Alfred Barr Pt 2 “…I like to present narratives with sprawling information-rich panoramas. Yet these diagrams are radical reductions of written sources I’ve researched. I have had to choose who what to include, who and what not. Because the variables I have to work with are extremely limited, the people and events I use are reduced to symbols that are plotted in relationships to each other in the diagrams…”
  19. 19. 19 Prototyping: Spatio-Temporal Structures Existence Changes: Changes in instant events, such as the appearing or disappearing of objects and/or relationships. Spatial Changes: Change in spatial properties of objects such as location, size and shape
  20. 20. 20 Prototyping: Spatio-Temporal Structures
  21. 21. 21 Prototyping: Spatio-Temporal Structures
  22. 22. 22 Prototyping: Spatio-Temporal Structures
  23. 23. 23 Prototyping: Spatio-Temporal Structures
  24. 24. 24 Prototyping: Spatio-Temporal Structures
  25. 25. 25 Looking Forward The only path is forward • Adding workflow enhancements: Pivoting/Collaboration • More user testing and refinement – are trying to poke as many holes as possible • Scaling past a singular endpoint
  26. 26. Thank You Contact: mpark@endgame.com @muted_counts

Visualization of security data has not advanced significantly since the days of the WOPR in War Games. Other tech industries have embraced the role of modern user interfaces to facilitate and expedite data search, analysis and discovery, which has significantly helped users in those industries gain insights from a big data environment. In contrast, the security industry prefers to relegate everyone into command line prompts and clunky interfaces with minimal functionality and an inability to scale to the volume, velocity, and variety of security data. I’ll address the core challenges and impact of the industry’s failure to take data visualization and user experience seriously, and provide recommendations on key areas that would most benefit from modern data visualization. Through the use of attack timelines, I’ll demonstrate how we, as an industry, must move beyond familiar visualization conventions (that tend to break at scale) and provide functional data visualization that is usable for analysts and operators across all levels of expertise.

Views

Total views

795

On Slideshare

0

From embeds

0

Number of embeds

25

Actions

Downloads

16

Shares

0

Comments

0

Likes

0

×