The challenges of visualizing cyber data
Cyber security data poses unique challenges. It is often automatically generated at millisecond levels of resolution and stored in different locations, making it unwieldy to manage.
We often speak to customers who need to detect unusual behavior inside terabytes of event and attribute data, including:
- IP logs – detecting indications of infected machines or botnet zombies.
- Network logs – uncovering applications or users that hog bandwidth so they can optimize systems and prioritize business critical applications.
- Communications logs – for performing analysis to uncover sabotage, espionage or other unwanted activities.
- Web server logs – managing and prevent external threats, such as DDoS attacks.
Working with enriched threat intelligence data
Another category of customer data we see is ‘enriched’ cyber security data – e.g. cyber threat intelligence data. This is where the information has been pre-processed and confirmed to include anomalous behavior.
The challenge is to reduce the scale and complexity to a more human level.
Network visualization techniques provide your analysts with an intuitive interface to explore this intelligence data, helping them to piece together a story, and communicate their findings with the rest of their team.
The limitations of your cyber security software
If you are part of a security-conscious enterprise, there is a good chance you already have a cyber security data analysis system in place. It is likely to be a ‘SIEM’ cyber security platform, a combination of ‘SIM’ and ‘SEM’:
- SEM – Security Event Management: this monitors your network’s events in real-time.
- SIM – Security Information Management: this provides longer-term storage and analysis of your collected data for querying and analysis.
If your SIEM solution is successful, it will help you understand threats and uncover vulnerabilities. Too often, however, SIEM systems fail to translate into real benefit due to a number of limitations:
- Information overload: people are overwhelmed by poorly presented data.
- Lack of human friendly features: Users struggle to interpret their data on anything but a superficial level.
- Limited reach: SIEM systems place security completely in the IT department’s domain. Translating insight from these systems for wider consumption is difficult.
- Difficult to manage: Most SIEM systems offer a complex web of specific rules. The result is brittle and complicated to manipulate.
White Paper: KeyLines for Cyber Security
Using real use cases from KeyLines customers, this whitepaper shows how network visualization can be used as part of a wider cyber security effort to increase efficiency and effectiveness.
The insight inside your cyber data
Network visualization helps simplify complex data into a human-friendly format that is more easily sharable – improving communication and working towards better organizational learning and security awareness.
KeyLines customers use the toolkit to build their own visualization applications for a whole range of use cases, including:
- Navigating cyber security threat intelligence
- Investigating incidents and managing responses
- Detecting malware
- Understanding dependencies and infrastructure vulnerabilities
- Forensic analysis
- General trend and pattern discovery
- Training non-technical staff in cyber security issues
Why choose KeyLines?
Most cyber security dashboards offer a static snapshot of your cyber security system. That’s only a small part of the story. KeyLines lets you:
- Put analysts in the driving seat – build a custom network visualization web application that allows your analysts to explore data at their own pace, and at their own scale.
- Share your findings – the node-link model is a simple and intuitive approach that can be easily understood by non-technical colleagues and management.
- Work on any machine – KeyLines works in any web browser on any device – including smartphones and tablets.
- Use the best tools for the job – KeyLines includes a rich library of functionality available for you to deploy to your analysts, including network filtering, temporal analysis, geospatial visualization, social network analysis and node grouping.
Cracking a botnet with network visualization
The example below demonstrates the power of network visualization in a cyber security setting.
Using a dataset from CAIDA (The CAIDA UCSD Network Telescope on the Sipscan Dataset), we configured KeyLines to visualize packets of data sent between 5000 computers at the University of San Diego.
From the blog
Cambridge Intelligence has been designated a Cool Vendor in a new Gartner report for innovative, impactful and intriguing technologies and services in the security domain.
Visualizing the VERIS community database of data breaches: How graph visualization can help us extract insight from cyber security data.
There are lots of ways for a cyber security analyst to look at their data – as tables, bar charts,...