In November 2015, Microsoft CEO Satya Nadella and CISO Bret Arsenault announced an entirely new security strategy, including plans to use Microsoft’s “unique insight into the threat landscape” to build a security graph. The intention is to use Microsoft’s data from billions of endpoints “to inform how we protect all endpoints, better detect attacks, and accelerate our response,” Arsenault wrote in a blog post. This might beg the question, what is a security graph?
Data visualization is a booming segment of the big data job market, and it’s found an obvious foothold in security. The requirement of data visualization in job descriptions has increased in big data jobs by 12 percent in just the first half of 2015, which may indicate the skill is in the early stages of demand. As more companies begin to realize their need for quick digestions of large volumes of data to find trends, especially in security, the demand for visualization will likely keep increasing, vague as the description may be.
More Than Just PewPew Maps
In security, as the Microsoft executive team eluded to, visualization can provide a way of pulling together a ton of data to consume visually, since the brain can process visual information much quicker and easier than reading a log or report.
While there’s no shortage of what are known colloquially as “pewpew” maps — live graphs that show ongoing attacks, usually by country — visualization offers a lot more than just attack information. For companies looking to get a clearer picture of their networks and security status, a dashboard or graph or visualization can be an invaluable resource. It makes a visual of the invisible; puts context on the seemingly arbitrary; draws virtual lines to disparate clues.
Security graphs and visualizations have the ability to:
— Give context for spikes and pattern anomalies
— Tell a security story based on large data sets
— Show comparative performance or historical attack info
— Show live feeds and relevant world news
And of course, many other functions. OpenDNS Security Labs, for instance, does have an attack map (use Chrome for the live view). But the Labs team also developed Security Graph back in 2014, and released it as open source with an API to allow anyone to create a 3-D model that can show relational data. It’s a powerful way of visualizing relationships between data points. When using it to visualize a botnet for example, it creates a neighborhood map of malicious Internet locations (IPs and ASNs).
Thibault Reuille, an OpenDNS security researcher and creator of OpenGraphiti (the model that powers Security Graph), described the basic function of a visualization tool for security nicely in an article for Dark Reading. “By implementing a physics engine we can transform relational data, however loosely related, into a 2D or 3D structure (a visualization). Since the structure will be defined by the relationships of the data, previously unnoticed clusters or patterns can, basically, highlight themselves.”
Other companies in the security space and elsewhere are using their speciality to create visualizations. Last year, Cognitive Systems released an interesting visualization for wireless signals. Its use could be monitoring for rogue wireless devices in a server room, or scanning for IoT devices in an office. And ProtectWise announced a security graph dashboard that promised to be “like something out of Call of Duty.” In other words, something customers might want to use, not a flashy feature that doesn’t provide value.
The value a security graph or visualization provides is key for security engineers. Security teams strive to remain constantly informed. Making informed decisions and asking better questions is at the core of a good visualization tool. They can help cut through the data overload that is common in security operations.
Gregory Lewandowski, manager of analytics at Cisco, knows the goal of visualizing data well. “If we’re successful, people can see the threads in a way that allows them to ask better questions, which leads to better strategy and ultimately to a better company,” he said in an interview.
For now, the definition of a security graph may be obtuse and the function of visualizing security data might prove to be of varying utility, but they will soon become an indispensable addition to a team’s toolkit.