Security Tools Show Many Dots, Few Patterns

Today's security software wastes valuable time by delivering data dumps, rather than focusing on trends. But you can create your own visualizations.

Mathew Schwartz

February 28, 2013

6 Min Read
Network Computing logo

"What do you want to know?"

Great question, right? Then why do few security products -- or rather, the developers, product managers, and vendors who build them -- ask that question of their customers?

Instead, your firewall, intrusion detection system, antivirus management console, LAN manager, or other security tool report tells you about its day: The quantity of events it's detected, whether antivirus is activated, which country seems to be lobbing the most attacks your way.

If there's one commodity information security personnel don't have, it's time. Furthermore, sitting through meaningless alerts risks "banner blindness" -- so often seen in airport baggage x-ray monitoring personnel, not to mention beach lifeguards -- in which emergencies go unspotted due to input overload.

[ It's time to rethink current cyber privacy legislation. Read more at Hacking, Privacy Laws: Time To Reboot. ]

But there's a relatively easy solution: Spend a few hours tearing up your existing interfaces and create your own reports, says Jonathan Grier, a digital forensics consultant who often focuses on better ways to visualize security information.

"When I'm doing a forensic investigation, I want to see patterns and trends, but those aren't visible [in off-the-shelf products]," Grier said by phone. "The whole point of visualization, the whole point of showing me, is completely absent. It's treating me like I'm another database."

The tool you use to corral your security data isn't important. Instead, it's the ethos, and here's how to apply it: "As incident responders, sit down, take some logs -- take a real log -- and think out loud about how you'd analyze it," Grier said. "Look at the trends and the activity they're doing, then see clusters of information and think about how to assemble the data visually, and keep asking about the next step: How do we assemble this data into a bouquet of examples?"

Bouquets of examples, or "security paintings," are Grier's terms for interfaces that don't present raw data to security professionals, but rather help them find the patterns they're already seeking. "It's not that hard, if you have in-house programmers, to program up those reports," he said. Nor is it hard to know what security managers need; just ask them. Typical security managers responses may include: Do I need to call an incident response team? Do I need to shut down the network?

Grier's security interface design thinking arguments stem in part from a recent project for which he consulted that involved improving software for parents to keep tabs on their kids' Web surfing habits. Before, the monitoring software generated low-value reports, such as a pie chart illustrating the percentage of time spent on sites designated as appropriate for adults, mid-teens, pre-teens, or suitable for everyone.

But after asking parents what they were looking for and then using that input to help redesign the software, Grier created an application that first reports on patterns, including the time spent and number of sites visited across numerous site categories, such as adult, drugs, alcohol and tobacco, social networking, keywords and searches, and sports. Clicking on any of those report results then allows parents to drill down to see not only the sites visited, but also similar sites.

"[After the redesign,] we did a usability test for the consumer product, and we knocked off our socks -- parents were noticing things that we weren't even trying to show them," Grier said. "We just gave them the information, and they saw things we hadn't even thought of, because they know their family much better than we do."

One upside parents noted was getting more insight into what their kids were interested in. "One parent said, 'My son's a teenager, I asked him how his day had been and what he'd done, and of course he said nothing ... but now, I see he's really into basketball,'" Grier said.

What if the software detects harmful behavior? "Very often, knowing about it was better than blocking it," said Grier. As examples, parents cited "pro-ana" sites that encourage anorexia and eating disorders, and even musical preferences -- to learn, for example, if their son's listening habits had changed from classic rock to death metal. The point wasn't the site they were visiting, but being able to quickly spot a bigger problem.

Such clarity is all too lacking not just in kid-monitoring software for parents, but in information security products in general. "I'm a security researcher, and I can't make heads or tails of most security reports either," said Grier. "They're all, without exception, one of two types: data dumps, where they take their table information and put it on the screen and you can sort it ... or there's a nice summary report: 30% of viruses came from Hong Kong."

Neither of those works, and it's not just parents who are lost in the noise, but anyone whose job involves interacting with a security console.

Creating a fix, as noted, requires sitting down with end users -- in this case, information security professionals who use security software to track events -- and asking them to think out loud: What are they seeking from the data, and when they find something, what's their next question? In the case of the monitoring software, parents requested to not see only that their kids were visiting potentially dangerous sites, but to see -- and be able to click on the URL for --the sites, along with a list of "similar sites" that would let them quickly drill down and quickly understand the bigger picture.

Same goes for security logs: If there are log-in alerts for a user, for example, and the interface can show that 19 failed attempts came from the same IP address in the Ukraine, and also that the user has been logging in all week from the Baltimore office, then it's probably time to freeze the account.

Such data slicing and dicing gets to a reporting maxim: If 95% of security log and event data is meaningless, the imperative is to help security professionals focus on the 5%. From an interface design standpoint, then, less means more. "I'd like to see, in five years, that you by default see a pattern -- and if you want to see a pie chart or data dump, then you have to choose that," said Grier.

No one pattern will provide forensic investigators with ready-made answers to every problem. But showing patterns and trends -- especially as security big data efforts amass ever-greater quantities of event data -- will help people more easily spot anomalous behavior and focus on problems, while avoiding the cognitive waste of having to even think about non-problems.

Because after all, who's got the time?

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights