Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?


Incident Response

Why Data Reduction is Key for Meaningful Visualizations

As many of you are aware, I have spent quite a bit of time in Security Operations Centers (SOCs) over the course of my career.  I remember one particular experience like it was yesterday.  A high ranking executive came through for a whirlwind tour that literally lasted about 17 seconds.  On her way out, she screamed, “I need more pictures on those big screens!”.

As many of you are aware, I have spent quite a bit of time in Security Operations Centers (SOCs) over the course of my career.  I remember one particular experience like it was yesterday.  A high ranking executive came through for a whirlwind tour that literally lasted about 17 seconds.  On her way out, she screamed, “I need more pictures on those big screens!”.

That experience both frustrated and infuriated me for many reasons.  One of the main reasons why I was so bothered by it was how that particular experience so starkly illustrated the complete lack of understanding around visualization in the information security space.  Everyone loves a pretty picture or a slick graph, but very rarely do these supposed visualizations add any real value to security operations.  What do I mean by that somewhat provocative statement?  Why is this the case?  How can we produce visualizations that add value to security operations?  I’d like to explore those questions in the remainder of this piece.

Graphs: Security Operations CenterTo understand why most visualizations provide so little value to security operations, we must first go back to fundamentals.  In security, as I often note, that means coming back to the risks and threats to our respective organizations that we’re looking to mitigate, manage, and minimize.  I have seen thousands of different attempts at visualization over the years.  But how many of those mapped back to a risk register and visualized information that helped the organization understand whether or not one of those risks needed immediate attention?  I can count the number of those types of visualizations on my fingers.  Therein lies the crux of the issue.

In my experience, the mapping of a visualization back to the risks and threats we’re aiming to mitigate is something that many people struggle with.  To my knowledge, a prime reason why so many attempts at visualization struggle to provide any real value to the organization and are most often relegated to the status of “eye candy”.  But there is another way to leverage visualization in a way that adds value to security operations.

The human eye can often pictorially identify patterns, connections, and outliers in the data that would otherwise be very difficult to identify through other means.  Visualization, which allows the human eye to pictorially scan the underlying data, can be a powerful tool when leveraged appropriately.

The purpose of visualization is most often to elicit patterns, connections, and outliers in the data using the human eye as the parsing and analysis mechanism.  In order to properly elicit meaning from large enterprise data, one must first reduce the data to improve the signal-to-noise ratio.  In other words, given the volume and variety of data in the modern enterprise, the level of noise is simply too high to allow for meaningful visualizations without first performing one or more data reductions.  Trying to build pretty pictures and slick graphs on top of raw data, which is extremely diverse, voluminous, and completely unfocused, is simply not going to yield very good results.

How does one perform data reduction to produce a meaningful visualization that will be useful to security operations?  Thinking about what specific question the data should be used to answer is a good first step.  Or, to put it another way, it helps to build out a series of use cases that map back to our prioritized list of risks.  From there, we can look to reduce the data in a way that will bring out the value we’re after and highlight the activity we’re looking for.

Let me try and illustrate this through a relatively simple and straightforward example.  For our example, let’s assume that we are trying to use visualization to understand to which countries we are sending Office documents.  Before we can think about how to visualize the data, we need to reduce the data by asking it to return only the results that meet these criteria:

● That the data is leaving the network (as opposed to entering the network).

Advertisement. Scroll to continue reading.

● That the data contains only sessions where the file type is one of the Office file types (e.g., Word, Excel, PowerPoint, etc.).

● That we have a mechanism in place to map the destination to a country (be it by domain, IP address, or ASN).

Once the data has been reduced, and the signal-to-noise ratio has been increased substantially, we can begin to consider which type of visualization fits best.  Different questions asked of the data will necessitate different types of visualizations to elicit the patterns, connections, and outliers we are looking to delineate.  In our example, a world map with some coloring or shading to indicate volume (be it number of sessions, number of bytes, or otherwise) probably fits best.  Of course, different types of questions asked of the data will lend themselves to different types of visualizations.  In some cases, multiple visualizations may work together to meet the desired goals.  When completed, our visualization will provide us with a graphic that we can efficiently scan with our eye.  The data reduction or reductions we performed allow us to assess quickly, with a specific context in mind, whether or not we can identify something requiring further investigation.

In my experience, and in the experience of many others as well, unfocused attempts at visualization over raw, unreduced data produce visualizations that are not particularly useful for security operations.  Visualization does have tremendous potential to bring value to security operations when leveraged properly.  Performing data reduction by posing specific, targeted, incisive queries into the data provides a good starting point for producing visualizations of high value to security operations.  Get the picture?

Related Reading: Why CISOs Need Their Own Cockpits

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights