There are lots of ways for a cyber security analyst to look at their data – as tables, bar charts, line graphs… But none of these can capture a key dimension: connections. That’s where network visualization comes in.
In this series, we’re going to look at how some of our customers have deployed KeyLines to help them understand the connections in their cyber security data.
Patterns and trends are interesting, but are mostly helpful for helping us see anomalies. By analyzing anomalies, an analyst can prevent data breaches, find malware entry points, predict externals attacks and generally find vulnerabilities in an organization’s perimeter.
There are broadly two approaches to getting started with a new network:
This example uses the global approach. It is a technique widely used in fraud detection and compliance environments – situations that require fast but careful decision-making based on large datasets.
An enterprise SIEM system is likely to generate thousands (or even hundreds of thousands) of security alerts every day. No analyst can hope to check each one, but they equally cannot all be ignored. By distilling a few hundred alerts in a KeyLines chart at once, we can start to see patterns and – more importantly – anomalies.
This example shows how one KeyLines customer, an online currency exchange provider, uses network visualization to analyze user login behaviors.
Irregularities in login patterns can be a useful indicator of compromise, often indicating an impending breach. Patterns to look for include:
Humans are uniquely equipped with the analysis skills required to see patterns and find outliers. By presenting a visual overview of our data in a single chart, the brain automatically spots unusual patterns:
In this screenshot, the central node of each structure indicates an online account; each connected node is an IP address that has been used to access that account. We can see that most accounts have been accessed by 1-4 different IP addresses.
There are specific star structures throughout the chart that stand out:
This indicates that individual login accounts have been accessed from multiple locations. Let’s zoom into one:
Here we have zoomed in on two ‘star’ structures. At this level, we can see more detail:
Looking closer still, we can see that the user node uses a glyph to indicate the country of registration for the account. The node connected by a thick yellow link is the account’s ‘original’ IP address.
In this example, the analyst should look at this account and ask why this user has logged into the system from more than 20 locations. If we integrate our chart with a case management system, CRM or the login database, the investigation could be reached through a context menu.
This simple example shows the power of the global graph visualization approach. Even with advances in machine learning technologies, the human brain is still unique in its analytical and creative ability.
A KeyLines chart provides the perfect way to present this complex connected cyber data in a format that a human can explore and understand.
Our updated white paper introduces the topic of network visualization for cyber security data, showing five specific examples of how KeyLines can be used to detect threats in complex cyber data, including: