The key for success of Cyber Security tools of a company is heavily if not fully dependent on how organizations, individuals, Security Operations Centers and Network Operations Centers “use” their data.
Terabytes of data are generated daily and among all the noise it’s very easy to miss alerts, outliers and lose focus when dealing with unstructured data.
The Advanced Visualizations Process
When setting up visualizations for companies it is important to keep in mind the original requirements, so that it is not only easily readable and accessible to all the members of the team, but also easy to interpret, explain and understand the patterns, trends, outliers and anomalies in order to eliminate potentials threats.
The recommended process for the creation of Advanced Visualizations would look like below:
Validation of Log Sources
Validation of Log Sources is a crucial step, since it sets the bar for the high-quality standards and data granularity. Data ingestion must follow best practices considering security and integrity. Additionally, Data should be structured by categories and types, field names should be concise and should follow proper naming convention, values should be properly extracted and enriched where possible and unused data should be discarded at this stage to allow better performance on the system.
This is a very tedious, time-consuming and challenging task, since the data is very often unstructured or missing crucial parts, but once this step is accomplished it can be a great start for building the visualizations.
Definition of Use Cases List
Defining the list of Use Cases required for teams across the organization is important to capture the idea of the desired output, in order for the team to be able to work, navigate and use the output as intended, use cases should target specific needs aiming to be as precise as possible while avoiding generalization, abstraction and overlapping with other objectives.
Build Visualizations for defined Use Cases
Before building visualizations for defined Use Cases it is required to explore all the options and available. There is a vast majority of possible visualizations ranging from simple table view to pie charts and other complex dashboards with drill-downs, time tokens and many more.
Requirements defined in a previous step should help with identifying which type of visualizations would fit best for specific use cases.
Validation of the Output
Validate false positives and false negatives and improve where necessary before going into production with the Use Cases.
There is a high chance that Quality Assurance of some log sources was not complete by 100% due to lack of time or human error, this may result in overflooding of some reports or lack of events for others.
Improve the Output
Keep the feedback loop to improve the quality of the visualizations, by adding/removing details, enhancing the quality of the data used and adjusting the companies’ needs.
As time goes and visualizations are effectively used by the teams, it is important to keep in mind that requirements change as well.
Thus, keeping feeding back every detail that requires changing is crucial in order for the visualizations to stay relevant and up-to-date.