SOC Capability Area #12) Visualization

As Threat Actors have become more sophisticated and developed better evasion techniques, Auditing/Monitoring has become a huge and complex topic area. So, we break this operational need out into more specific capability areas, each discussed in a separate article:

• Instrumentation (Sensors) Capabilities
• Monitoring (Collection, Aggregation) Capabilities
• Detection (Analytics, human or automated) Capabilities
• Visualization and Notification Capabilities

Visualization, Notification 

The adage “a picture is worth a thousand words” is apparently true even in Security Operations. One of the most sought after capabilities we continue to run into is that of “Visualization”. But more often than not, the stakeholders we speak with, on behalf of our Security Operations clients, struggle to explain exactly what questions they are trying to answer with these visualizations. (Note: Ask me about Protinuum's model of the "5 What Imperatives"™ of Cyber SA - What?, So What?, What Else?, Now What?, and What If?)

Most have an affinity for large, complex, data-rich, and often highly dynamic displays. With a few exceptions (notably those visualizations that provide some critical context, and/or allow Tier 2 or 3 Analysts to expose complex patterns), such complex visualizations typically do not prove very useful to the majority of roles within Security Operations (access control, incident detection, incident response, etc.). However, they can be very effective with external stakeholders in articulating the enormity of the challenge that Security Operations face. (Note: SecViz.org is a community of practitioners that regularly research the practical effectiveness of new visualization techniques in this area.)

Visualization capabilities that have proven more practical to Security Operations look more like traditional Business Intelligence (BI) capabilities, only focused on security information. Internal to Security Operations, trending metrics such as patch compliance status, event/alarm statistics, and incident handling metrics expose the day-to-day operational tempo of the environment. These expose the quantitative picture of the Security Operations primary challenge of holding back the tide. But the same metrics-dense dashboards regularly prove ineffective for senior leaders and board members, who are looking for a qualitative picture of the current Risk to the business that their dependencies on cyberspace present.

It is the qualitative aspects of an incident (e.g., potential impact on the business) which allow Analysts to prioritize events, insuring they remain focused on what really matters most to the business.

Traditionally, vendors that focus on providing qualitative pictures of Risk describe their offerings as Governance, Risk and Compliance (GRC) solutions. GRC platforms gather quantitative metrics, but present qualitative views of Risk to a broad range of users. Historically, the primary limitation to GRC offerings is their (partial) disconnect with the dynamic monitoring in Security Operations. Yes, GRC applications do a good job of incorporating passive data like vulnerability patching and compliance. But most do not integrate with the more dynamic sources of detection analytics that continue to mature rapidly in this space. And those that do, are still very weak at capturing Business Dependencies to automatically put that activity in terms of Consequences – the potential impact to the business. The most impactful visualizations are those that cast cyber events (vulnerabilities, threats, incidents, etc.) in the context of the Business, sometimes referred to as “Operational Pictures”.

Ultimately, if you want to know what is really going on. If you want to make informed decisions. We repeat it often… “Context is Everything.”