Data visualization has been around for decades, but modern desktop computers finally possess the power to turn raw data into interactive displays for analysis, enabling computer security analysts to use visual analytics techniques to solve daily problems.
Although many other tools exist to assist organizations with computer security-from intrusion detection and prevention systems to firewalls and anti-virus applications-none of these solve the data overload problem as effectively as visual analytic software. This is because the problem central to data analysis is an effective reduction of false positives and superfluous data, while preserving important information (sometimes called “improving the signal-to-noise ratio”).
Visual analytics allows analysts to interactively apply a wide variety of tools to make important data pop out of the abyss and become instantly understandable. In essence, visual analytics reduces the time taken to convert information to knowledge by an order of magnitude or better. This is possible for a variety of reasons:
Reason No. 1: Visual analytics allows computer security professionals to rethink how to recognize risks and protect against cyber threats. In turn, this allows for more effective attack prevention and faster isolation and mitigation of attacks that do occur.
Reason No. 2: Visual analytics enables key aspects of the digital forensic process, including data collection, discovery, investigation, examination, analysis and reporting. Visual analytics enables sense-making in cyber security and computer forensics in the following three unique ways:
First, computer network intrusion detection system (NIDS) log file data can be loaded and suspicious connections between machines examined. This data can be combined with other log data to develop a more complete understanding of security breach events.
Second, e-mails can be forensically examined to model communications patterns and to summarize e-mail content. And third, directory structures can be displayed and filtered on file modification times to see what activity occurred on what dates. Multiple file systems can be quickly compared to discover identical files that may have been transferred from one machine to another.
Reason No. 3: Visual analytics offers capabilities for information discovery, processing and visualization-tactics which apply across many applications for computer security and forensics, including:
1. Analyzing a computer system after an intrusion to determine how the attacker gained access and what the attacker did.
2. Analyzing the information on seized hardware, especially within the intelligence, military and law enforcement communities.
3. Using computer forensic techniques to analyze the computer systems belonging to defendants in legal cases.
Incorporating visual analytics into an organization’s best practices allows computer security professionals to quickly identify threats to their own organizations. By doing so earlier and more comprehensively than their competitors, this leads to significant competitive advantage in the face of increasing threats and daily attacks. As companies rely ever more heavily on computers and digital information, the rapid response enabled through visual analytics becomes even more appealing.
These reasons explain why the United States government has aggressively funded visual analytics programs for national defense, with a heavy emphasis on computer security. The National Visualization and Analytics Center (NVAC) is one such example of this. Traditionally funded through grants from the Department of Homeland Security, this effort has gained significant traction in academic and now commercial circles. Many of the products developed through this and other federal efforts are now reaching the general public, making a huge impact on the ability of companies to discover knowledge from visually analyzing myriad types and vast quantities of data.
Clearly, visual analytics has plenty to offer computer security professionals and the organizations for which they work. Applying visual analytic tools to the computer security domain is usually straightforward and, since working with interactive graphics is engaging, learning the techniques and tactics for visually analyzing computer security data is relatively simple (compared with the other skills these professionals have already developed and cultivated).
As the field continues to mature, we should see huge advances in productivity, reductions in response times, and recognition of organizations embracing this new technology when confronted with increasingly sophisticated malicious threats.
Justin Wolf is Product Manager, Government Solutions for Future Point Systems. Justin has over 20 years of experience in software and network engineering, as both an engineer and manager at companies such as Sega, Sony and Cisco Systems. Justin has a B.S. in Computer Systems and a M.S. in Engineering Management. He can be reached at firstname.lastname@example.org.