Visualizing Data For Analytics And Decision Making in Cybersecurity

By Jason Ingalls, CEO of Ingalls Information Security 

Data visualization is poised to create a revolution in how analysts review, interact with, and use data in cybersecurity. In an attempt to explain the potential capability and productivity boost that true visualization of data in all four dimensions may offer, let me share three stories from my career. These are periods when I learned new skills that involved network security concepts and cybersecurity principles because of how the information I had to work with was presented to me. These episodes shed light on how someone approaching cybersecurity from a non-technical position might understand the massive reams of data, and attempt to turn that into information, and the knowledge necessary to make a decision or to learn from that data. These lessons helped shape the development of Viewpoint™, a visualization and mapping application for cybersecurity.

2001: Learning Unix and Multi-level Operating Systems, Databases, and Networks

Familiarity with Windows NT did not a Unix admin make, much less an integration engineer. Network traffic with RIPSO labels completely confused me for a long time, and Sun Microsystems did a great job of providing a GUI for managing things like this. Visualization, even through the pages of a GUI Wizard, gave me enough context to understand what I needed to do. I learned.

2008: My First Major Data Breach Investigation

The first time you understand how real hackers actually break into and move around a computer network and how they steal credit cards from computers in hard to reach places is after the first time you read a timeline graph and learn the story of the breach. Visualization is critical in explaining what happened to the lawyers and business leaders, as well as to the technicians who were responsible for kicking the bad guys out for good.

A breach response team has to be able to communicate its findings within and without the team. As the investigation proceeds, whiteboards (and dry erase markers) become precious commodities, with “do not erase” pages taped to them. With terrible hand writing and lines and arrows, we mapped the breach, retrieved evidence, and planned the expulsion of the attacker.

2015: Mapping A Breach Across International Networks

A global retailer called on our team to investigate an intrusion that led to a few million stolen credit cards. The attackers used malware that could be quickly deployed through networks, and could communicate back to the attacker’s Internet connected computers that provided instructions to deploy and harvest data. We dug through 18 Terabytes of network log data in order to reconstruct the path of the intrusion.

At the end of weeks of searching through old logging databases, we came up with less than 5 Megabytes of actual log data that showed the entirety of the attacker’s movements and theft of data. This led to the successful remediation of all assets within the victim network and validation that the breach had been stopped. Imagine how much faster we could have reacted if a system existed that could create a map of the breach and a list of every computer, user, and file that was involved. We did, which is why we are building Viewpoint™.

The Future: Mapping Cybersecurity Events As 4D, Interactive Models

In each of the scenarios, a system that could visualize the massive amounts of information that cybersecurity workers must deal with would reduce the time it took to learn, identify, map, and make decisions about cybersecurity situations. The cybersecurity toolset of the future will have a 4D User Interface, and analysts will use Virtual Reality or Augmented Reality systems to project themselves into an environment that presents massive amounts of data in a way that allows them to gain context and situational awareness about the computer networks that they are defending.