Building engaging visualization tools for cyber analysts

Cyber security analysts have a tough job. IP information, server logs, communications records: the data they need to understand is big, complex, and generated every millisecond. If they don’t do it well, important alerts get missed, the risk of malware attacks increases, network vulnerabilities are exploited and post-attack forensics lack insight.

Data visualization is the best way to uncover the vital threat information lying hidden amongst rows and rows of tabular information.

We’re all used to seeing cyber security data visualized in movies or on TV. Often the visualizations are big, beautiful – and scary.

Retro cyber data visualizations, from Wargames (1983), United Artists. Image Source: IMDb
Retro cyber data visualizations, from Wargames (1983), United Artists. Image Source: IMDb

In the real world, looking good isn’t enough. The visualizations have to reveal crucial insight.

Rather watch a video?

This blog post is also available as an on-demand webinar.

Data visualization in the cyber security lifecycle

A lot of the data cyber security analysts need to understand is complex and low-level. It’s difficult to comprehend visually.

Typical cyber data: a few seconds of data packets passing through my laptop’s network card
Typical cyber data: a few seconds of data packets passing through my laptop’s network card

To understand and explain this data, analysts need engaging visualizations. We see three key stages in the cyber security lifecycle where visualization is especially important.

Let’s take a look.

Cyber threat intelligence analysis

Cyber threat intelligence is information describing the cyber threat landscape. There’s no shortage of it available – the challenge is understanding and communicating it.

Here we’re looking at data about different malware threats and the vulnerabilities they exploit. Visualizing this as a set of connected entities, we can build up an interactive threat landscape that’s clear and simple to understand.

We’re visualizing attack vectors and targeted organizations. With this insight, organizations can see the threats affecting others in their sector, assess their own vulnerabilities and define their own preventative measures.

visualizing attack vectors

Cyber threat detection

As well as preparing for future attacks or breaches, cyber analysts need to understand threats they face in real-time. This often means detangling complex ‘hairballs’ of data so analysts and their colleagues can get clear insight.

Here’s a high-level representation of a network that uses aggregated views (our combos function). Analysts interact with combo nodes to dig deeper into the network and reveal detail on-demand.

Overlaying the network on a map or diagram gives analysts a clear understanding of what’s happening, quickly.

Incident investigation and forensics

When performing an investigation, the cyber analyst wants to understand the who, where, what, how and when of an incident. Graph visualization helps with all of those dimensions, but there are specific techniques to make sense of the ‘when’.

Most cyber data has some kind of time element to it. Here we’re looking at the spread of a piece of malware over time. By ‘playing back’ this information through time, we immediately understand its behavior in a way that we could never achieve by reviewing a set of security logs.

incident investigation and forensics

We can go even deeper with our malware timeline analysis. Building a timeline visualization directly from your data lets you analyze precisely when malware events occurred and how they unfolded.

Here’s a KronoGraph timeline visualization investigating network traffic and possible malware attacks. It shows packets sent from a laptop to other websites, revealing a forensically detailed sequence of events.

KronoGraph malware timeline analysis

If we integrate KronoGraph with our graph visualization toolkits, we can combine timeline analysis with network analysis, enhancing our malware investigation with two powerful views of the same data.

Engaging visualization is vital to effective cyber security

In order to understand cyber security threats, you need to visualize them. The data simply isn’t user-friendly without visualization.

You can learn more about the visualizations shared in this post, and some extra examples not covered, in my webinar data visualization techniques for cyber security analysts.

If you’d like to try them yourself, or have your own cyber security data to visualize, request a free trial account for our graph visualization toolkits.

This post was originally published some time ago. It’s still popular, so we’ve updated it with fresh content to keep it useful and relevant.

More from our blog

Visit our blog

Registered in England and Wales with Company Number 07625370 | VAT Number 113 1740 61 | 6-8 Hills Road, Cambridge, CB2 1JP. All material © Cambridge Intelligence 2020.