Build a cybersecurity dashboard to fight alert fatigue

Cybersecurity teams face hundreds of thousands of alerts on their cybersecurity dashboard every day – and a third of those alerts are never investigated. As the number of remote devices accessing business data grows, criminals find new ways to explore and exploit the wealth of endpoints available to them. “Alert fatigue” risks desensitizing IT departments to red flags as they struggle to keep their systems safe.

Cybersecurity data visualization demo

How do you protect a complicated cloud infrastructure when you don’t know what assets you have, or how they’re connected? Many businesses use extended detection and response (XDR) to aggregate the threat data behind the constant breach warnings. But without interactive data visualization, it doesn’t give them true insight – it just contributes to their information overload.

For the fast situational awareness needed to triage complex alert data, KronoGraph’s unique timeline visualization is a must-have feature on any serious cybersecurity dashboard.

This cybersecurity blog explores an example dashboard, to demonstrate how it gives analysts a scalable and intuitive way to investigate threat data, and get actionable insights when it counts.

Cyber alerts made simple with timelines

Imagine you’re a cyber analyst working through your ever-growing alerts list. But instead of seeing the standard pie chart, a table of log files and some flashing IP addresses, you see this:

A cyber security dashboard created with KronoGraph
A cyber security dashboard guaranteed to combat alert fatigue

The KronoGraph timeline view displays millions of events in a single interactive visualization. It shows important alerts in context and helps the analyst understand the impact on their wider IT infrastructure. In the example above, brightly-colored events pop out from the timeline, contrasting against the background of gray ‘normal events’. The alerts list on the right of the heatmap gives a handy summary of events the user needs to be aware of – ranked by level of urgency.

We hover over these alerts to see the events which triggered them. Clicking an alert focuses it in the timeline. Let’s start by checking out the individual events involved in an amber authentication alert. An external IP address has repeatedly attempted to log into a file server, and the final attempt succeeded:

The interactive cybersecurity dashboard lets analysts home in on the areas of the timeline that interest them

Contextual cyber alert analysis

Showing the timeline of events is a powerful way to explain the nature of an alert. But better still, the analyst can use the timeline to understand the events around it. What other activity on this file server happened immediately before or after the policy violation?

Let’s jump ahead to a few days later, when a red alert shows our database server exchanging a huge number of packets with an external entity. This tells us that data has been exfiltrated from the organization we’re monitoring:

A cluster of connected events highlighted in red
A cluster of connected events quickly paints the picture of a successful cyber-attack

We can see what the criminals were doing, but can we find out how they accessed our server, and stop it happening again? If we know when the enemy was ‘rattling our doors and windows’, we can stop the next attack before it begins.

Let’s travel back in time to look for evidence of that happening.

Cyber alert pattern of life analysis

When we use KronoGraph’s pattern of life functionality to display data summarized in hours, we uncover interesting trends. The isolated orange and yellow alerts on the left of the chart stand out. These events happened in the middle of the night, which is suspicious – the heatmap shows that it’s way outside the normal pattern of activity for these users and workstations:

Outliers stand out in a “pattern of life” heatmap
Outliers in “pattern of life” activity are easy to pick out on a heatmap

Zooming in to one of the amber alerts reveals a cluster of failed login attempts connected to Priscilla Heller’s email account, in the early hours of the morning, followed by a successful logon. That’s unusual behavior for this staff member… has their account been hacked by a cybercriminal?

Zooming in to investigate a cluster of activity
Suspicious activity in the early hours flags up an area for further investigation

Let’s explore the time period around the data exploit. We filter our view to cut through the noise and show only alert-related events. A pattern leaps out immediately. At the bottom of the heatmap, a spike in activity is represented by a string of yellow phishing alerts:

Filtering our heatmap to show only alert related events
Filtering our view, to show only alert related events, makes patterns leap out

Connecting alerts for better situational awareness

Here’s what we see when we zoom into one of those phishing events:

Digging into the detail uncovers even greater context around a single event

On the afternoon of April 26th, a user named Stanley Mraz opened an email from a hotmail account, which contained a disguised hyperlink. It’s a “low priority” alert, but seeing it in context, there are signs that it could be the direct cause of a red alert.

We quickly see that several of Stanley’s colleagues were opening emails from the same address, around the same time. It’s worth investigating these emails, to find out whether they were used as an exploit to access our IT network.

More importantly, we can see Stanley’s name elsewhere on the dashboard. His name appears on a red alert, and the notes show that his privileges were escalated on the evening of April 27th. Stanley fell for the phishing alert, and the attacker used his login to access our file server and carry out the data exfiltration.

As we zoom back to our overview and hover over the alerts we’ve looked at in sequence, we see the whole story unfold across the heatmap:

Hovering over the alerts in turn to track the story across the heatmap

Add timeline analysis to your cybersecurity dashboard

KronoGraph gives analysts the contextual awareness they need for more effective root cause analysis, so they can fix vulnerabilities and prevent similar attacks.

We’ve seen how timeline visualization brings individual alerts to life, so that analysts can quickly understand what caused them. A cybersecurity dashboard with a visualization component minimizes alert fatigue, and makes it easy to document and share insights in an intuitive and accessible way.

But there’s so much more KronoGraph can do. Request a free trial today, and explore how KronoGraph could transform your project.

A screen showing a graph visualization created using KronoGraph
FREE: Start your KronoGraph trial today

Visualize your data! Request full access to our KronoGraph SDK, demos and live-coding playground.


How can we help you?

Request trial

Ready to start?

Request a free trial

Learn more

Want to learn more?

Read our white papers


Looking for success stories?

Browse our case studies

Registered in England and Wales with Company Number 07625370 | VAT Number 113 1740 61
6-8 Hills Road, Cambridge, CB2 1JP. All material © Cambridge Intelligence 2024.
Read our Privacy Policy.