CSOs, CISOs and Heads of Security are all confronted by one ever present issue, finite resources. The need to allocate limited resources, whether they be financial, technological or human capital is one of the few constants in an industry continually undergoing rapid change.
The digital revolution has seen an exponential growth in technology. Organisations are increasingly adopting technology at a rate which can cause headaches for security managers who are already strapped for resources. There is no silver bullet for a complex problem like this and security managers will need tools to help them focus attention on high risk items.
Data visualisation is often considered by security professionals as an expensive and time intensive exercise. When done poorly this can very much be the truth. On the other hand, when done right, data visualisation can be a very cost effective and highly efficient way to bring order to chaos.
SIEM and SIEM-like products offer similar data analytics capabilities for security, primarily around event correlation. Unfortunately these products can also be cost limiting and generally require significant investment by the organisation in order to be effective, smaller organisations may struggle to find this option feasible.
Presenting ordinary data in a visual format on a smaller scale, can be done with existing tools readily available to most people such as Excel, however next generation data visualisation software such as Tableau and QlikView provide a powerful easy to use platform for presenting data in a user friendly format and at a reasonable cost.
Keeping it simple and using creativity is the best way to leverage data visualisation. Any set of data can be a starting point and there is no shortage of data in the IT world. Asset registers and the like are a great place to start. A good example that can be used to demonstrate some of the useful capabilities of data visualisation is an information repository register.
An information repository register can number in the hundreds of entries even for smaller organisations and generally covers information repositories which store business information such as customer records, HR employee files, legal documents and board papers.
A good information repository register contains an extensive listing of all known locations of such sensitive business information. Each entry should represent a different system, file server or database. The more data attributes captured, the more value it contains.
Common security attributes should be captured for each repository. Some examples of security attributes include whether it has been penetration tested, whether it has been security hardened, how often user access reviews are conducted, how many data records are stored, where it is hosted, sensitivity level of the data stored, whether data is encrypted in transit or at rest and whether it has logging capabilities.
Gathering all this information is quite easy when divided amongst multiple teams, providing a skeleton of the register to stakeholders across the organisation to populate and return is an effective way to complete this exercise with minimal effort.
The next step is to digest and visualise all the raw data using Tableau or QlikView. Once information is presented on a single dashboard, it becomes an intuitive way to delve into what was once endless rows of data to identify patterns or scenarios which may not have been apparent prior to it being organised or visualised.
An example of a precarious combination of attributes to look out for are systems which store sensitive information, are hosted externally and do not encrypt data in transit. Once all these attributes are recorded in the register and presented on an interactive dashboard, it’s as simple as three mouse clicks to whittle down the list to those repositories fitting a particular scenario and display it in an easy to read format.
Unsorted example information repository register with 8 entries
Externally hosted repositories with no encryption in transit
(systems with increased likelihood of data loss)
Sensitive data repositories with no audit trails and low UAR frequency
(systems with increased susceptibility to insider threats)
Identifying at-risk systems by combining data attributes such as the above provides a more scientific method of determining where to efficiently allocate project time and resources for maximum gain.
Data visualisation can also have a profound impact when presenting to senior management, boards and executives. The ability to quickly identify specific scenarios and tailor reports on the fly during a presentation can make a world of difference and provide quantifiable evidence to underpin a business case or report.
Data visualisation can also be used in a similar way to justify security spend in a manner which highlights return on investment and improvements over time. This will be covered in more detail in a following article discussing the use of data visualisation as a reporting tool.
The security industry is only just beginning to embrace the use of analytics as an invaluable asset to aid in the constant battle to protect organisations and information assets, however there is a long way to go and much more potential to be leveraged.
Charn Tangson is a senior analyst in the Deloitte Australia Cyber Risk Services team. Charn has a focus and passion for information security, with a particular interest and expertise in the areas of security management, advisory and transformation as well as third party vendor security. In addition, Charn has experience in Tableau data visualisation for security as well as penetration testing and competed in the Global Cyberlympics 2015 ethical hacking world finals in Washington DC. He has advised numerous companies in the ASX100, large multinational corporations as well as state and federal public sector clients around managing and improving their information security. Charn is also a member of the Australian Information Security Association (AISA) and Information Systems Audit and Controls Association (ISACA).