Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data Visualizations in Cyber Security: Still Home of the WOPR?


Published on

Visualization of security data has not advanced significantly since the days of the WOPR in War Games. Other tech industries have embraced the role of modern user interfaces to facilitate and expedite data search, analysis and discovery, which has significantly helped users in those industries gain insights from a big data environment. In contrast, the security industry prefers to relegate everyone into command line prompts and clunky interfaces with minimal functionality and an inability to scale to the volume, velocity, and variety of security data. I’ll address the core challenges and impact of the industry’s failure to take data visualization and user experience seriously, and provide recommendations on key areas that would most benefit from modern data visualization. Through the use of attack timelines, I’ll demonstrate how we, as an industry, must move beyond familiar visualization conventions (that tend to break at scale) and provide functional data visualization that is usable for analysts and operators across all levels of expertise.

Published in: Design
  • Login to see the comments

  • Be the first to like this

Data Visualizations in Cyber Security: Still Home of the WOPR?

  1. 1. Data Visualizations in Cyber Security: Still Home of the WOPR? Confidential and Proprietary Bsides Las Vegas 2017 Matthew Park
  2. 2. 2 Who Am I? MATTHEW PARK  User Experience Lead  Background in Big Data and Video Games Design  @muted_counts 
  3. 3. 3Confidential and Proprietary
  4. 4. 4 Home of the WOPR? Hollywood fiction at it’s finest. Learn DAMMIT LEARN
  5. 5. 5 The Life of an Actual SOC Analyst 5 /70 Alerts 30 /250 Alerts 150 /8,173 Alerts
  6. 6. Raffael Marty Author of Applied Security Visualization “The general problem plaguing security visualizations today…they are either the work of designers with no background in security, or of security professionals who don’t understand data visualizations.”
  7. 7. 7 Comfort Zones Example Where analysts tends to lean towards
  8. 8. 8 Comfort Zones Example How visualizations can find that needle in the haystack
  9. 9. Let’s Talk Attack Timelines How Amazing is WarGames? The General Problems with Visualizations in Security Let’s Talk Attack Timelines Discovery / Recognizing our Biases / User Testing Persona Creation / Design Requirements Concepting / Basics of Design Structures Prototyping / Looking Ahead End of the appetizer, time for the entrée.
  10. 10. 10 Three Stages Discovery Confirming/disproving biases, understanding our users, capturing organizational workflows Concept Creating a basic foundation from known design patterns, Creating new design requirements from our users Prototyping and User Testing Feature creation and taking it back into the ‘wild’ for testing User-Centric Design
  11. 11. 11 Discovery Phase Definition and Recognizing our Biases Experience Time Differentiation • Lack of security expertise • Lack of platform domain experience • Limited time to review alerts and incidents • Forced to make informed decisions quickly • Forces conformity • Requires level of expertise to extract value
  12. 12. 12 User-centric Design Study  GOAL: Capture team dynamics and worker roles within security organization to identify challenges common across security teams User Group Team Type Environment Collection Method A Traditional SOC Individuals Day-to-day use User interviews B Novice Training Team Mock Scenario Side-by-side monitoring, Retrospective & User interviews C Internal Red vs. Blue Mock Scenario Mirrored Scenario as User Group B
  13. 13. 13  Have little to no prior experience (average of 1 year) in the cyber security space. First line of defense in a Security Operations Center.  Main responsibility is to initially triage alerts and determine if escalation (to higher tiered) is required.  Primarily rely on a platform’s GUI. Tier 1 Analyst Tier 3 Analyst Forensic Hunter  Intimately understand network and platform architecture.  Seen as domain experts on the SOC team and more comfortable working through the command line.  Investigates escalated alerts, and determine root causes and extent to remediate problems.  Expert in EDR platforms and sophisticated investigation tools  Uses command line and scripting languages to bypass UI and collect large data feeds using 3rd party APIs. SOC Manager  Skilled security practitioners, not necessarily subject matter experts.  Extensive management experience, oversees day-to-day ops.  Set schedules, assigns prioritization, generates reports. Findings: Security Work Roles
  14. 14. Findings: Day in Life of a Security Analyst More Variables Increase Working Memory Represent Time Facilitate Discovery Lack of Expertise Lack of Time 14
  15. 15. 15 Concept Phase Design Requirements 1. Visualizations should be used a tool to enhance the typical analyst workflow by providing high to low-level visibility and context to granular data. 2. Visualizations should be used as a tool for collaboration or reporting.
  16. 16. 16 Concept Phase Foundations of Visualizations: Ben Shneiderman’s Information seeking mantra 1. Overview First 2. Zoom and Filter 3. Details on Demand • Should guide the user them to other parts of the product for further exploration. • The overview should summarize the overarching story from the entire data set without getting into the minor details. • Aim to provide the user with plenty of control for zooming and filtering data from the overview • Extremely important for complex visualizations (ie. attack timelines) – The Zoom and Filter is the driving mechanism for organization to your user. • This third layer of data would be less visual, and more text-heavy with a focus on accurate information rather than trends. • Bring them as close as possible to the raw data, and equip them to find what they started out looking for.
  17. 17. 17 Prototyping: Temporal Structures
  18. 18. Ward Shelley Addendum of Alfred Barr Pt 2 “…I like to present narratives with sprawling information-rich panoramas. Yet these diagrams are radical reductions of written sources I’ve researched. I have had to choose who what to include, who and what not. Because the variables I have to work with are extremely limited, the people and events I use are reduced to symbols that are plotted in relationships to each other in the diagrams…”
  19. 19. 19 Prototyping: Spatio-Temporal Structures Existence Changes: Changes in instant events, such as the appearing or disappearing of objects and/or relationships. Spatial Changes: Change in spatial properties of objects such as location, size and shape
  20. 20. 20 Prototyping: Spatio-Temporal Structures
  21. 21. 21 Prototyping: Spatio-Temporal Structures
  22. 22. 22 Prototyping: Spatio-Temporal Structures
  23. 23. 23 Prototyping: Spatio-Temporal Structures
  24. 24. 24 Prototyping: Spatio-Temporal Structures
  25. 25. 25 Looking Forward The only path is forward • Adding workflow enhancements: Pivoting/Collaboration • More user testing and refinement – are trying to poke as many holes as possible • Scaling past a singular endpoint
  26. 26. Thank You Contact: @muted_counts