Home
More Commentary
Get news delivered to you
BYTE Categories
Mathew J. Schwartz

Mathew J. Schwartz


Commentary

Security Tools Show Many Dots, Few Patterns

Comments | Mathew J. Schwartz, InformationWeek | March 01, 2013 09:06 AM


"What do you want to know?"

Great question, right? Then why do few security products -- or rather, the developers, product managers, and vendors who build them -- ask that question of their customers?

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

Instead, your firewall, intrusion detection system, antivirus management console, LAN manager, or other security tool report tells you about its day: The quantity of events it's detected, whether antivirus is activated, which country seems to be lobbing the most attacks your way.

If there's one commodity information security personnel don't have, it's time. Furthermore, sitting through meaningless alerts risks "banner blindness" -- so often seen in airport baggage x-ray monitoring personnel, not to mention beach lifeguards -- in which emergencies go unspotted due to input overload.

[ It's time to rethink current cyber privacy legislation. Read more at Hacking, Privacy Laws: Time To Reboot. ]

But there's a relatively easy solution: Spend a few hours tearing up your existing interfaces and create your own reports, says Jonathan Grier, a digital forensics consultant who often focuses on better ways to visualize security information.

"When I'm doing a forensic investigation, I want to see patterns and trends, but those aren't visible [in off-the-shelf products]," Grier said by phone. "The whole point of visualization, the whole point of showing me, is completely absent. It's treating me like I'm another database."

The tool you use to corral your security data isn't important. Instead, it's the ethos, and here's how to apply it: "As incident responders, sit down, take some logs -- take a real log -- and think out loud about how you'd analyze it," Grier said. "Look at the trends and the activity they're doing, then see clusters of information and think about how to assemble the data visually, and keep asking about the next step: How do we assemble this data into a bouquet of examples?"

Bouquets of examples, or "security paintings," are Grier's terms for interfaces that don't present raw data to security professionals, but rather help them find the patterns they're already seeking. "It's not that hard, if you have in-house programmers, to program up those reports," he said. Nor is it hard to know what security managers need; just ask them. Typical security managers responses may include: Do I need to call an incident response team? Do I need to shut down the network?

Grier's security interface design thinking arguments stem in part from a recent project for which he consulted that involved improving software for parents to keep tabs on their kids' Web surfing habits. Before, the monitoring software generated low-value reports, such as a pie chart illustrating the percentage of time spent on sites designated as appropriate for adults, mid-teens, pre-teens, or suitable for everyone.

But after asking parents what they were looking for and then using that input to help redesign the software, Grier created an application that first reports on patterns, including the time spent and number of sites visited across numerous site categories, such as adult, drugs, alcohol and tobacco, social networking, keywords and searches, and sports. Clicking on any of those report results then allows parents to drill down to see not only the sites visited, but also similar sites.

"[After the redesign,] we did a usability test for the consumer product, and we knocked off our socks -- parents were noticing things that we weren't even trying to show them," Grier said. "We just gave them the information, and they saw things we hadn't even thought of, because they know their family much better than we do."

One upside parents noted was getting more insight into what their kids were interested in. "One parent said, 'My son's a teenager, I asked him how his day had been and what he'd done, and of course he said nothing ... but now, I see he's really into basketball,'" Grier said.

What if the software detects harmful behavior? "Very often, knowing about it was better than blocking it," said Grier. As examples, parents cited "pro-ana" sites that encourage anorexia and eating disorders, and even musical preferences -- to learn, for example, if their son's listening habits had changed from classic rock to death metal. The point wasn't the site they were visiting, but being able to quickly spot a bigger problem.

Such clarity is all too lacking not just in kid-monitoring software for parents, but in information security products in general. "I'm a security researcher, and I can't make heads or tails of most security reports either," said Grier. "They're all, without exception, one of two types: data dumps, where they take their table information and put it on the screen and you can sort it ... or there's a nice summary report: 30% of viruses came from Hong Kong."

Neither of those works, and it's not just parents who are lost in the noise, but anyone whose job involves interacting with a security console.

Creating a fix, as noted, requires sitting down with end users -- in this case, information security professionals who use security software to track events -- and asking them to think out loud: What are they seeking from the data, and when they find something, what's their next question? In the case of the monitoring software, parents requested to not see only that their kids were visiting potentially dangerous sites, but to see -- and be able to click on the URL for --the sites, along with a list of "similar sites" that would let them quickly drill down and quickly understand the bigger picture.

Same goes for security logs: If there are log-in alerts for a user, for example, and the interface can show that 19 failed attempts came from the same IP address in the Ukraine, and also that the user has been logging in all week from the Baltimore office, then it's probably time to freeze the account.

Such data slicing and dicing gets to a reporting maxim: If 95% of security log and event data is meaningless, the imperative is to help security professionals focus on the 5%. From an interface design standpoint, then, less means more. "I'd like to see, in five years, that you by default see a pattern -- and if you want to see a pie chart or data dump, then you have to choose that," said Grier.

No one pattern will provide forensic investigators with ready-made answers to every problem. But showing patterns and trends -- especially as security big data efforts amass ever-greater quantities of event data -- will help people more easily spot anomalous behavior and focus on problems, while avoiding the cognitive waste of having to even think about non-problems.

Because after all, who's got the time?

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!



Related Reading

News

Commentary

Most Popular

On the Web



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

BYTE encourages readers to engage in spirited, healthy debate, including taking us to task. However, BYTE moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. BYTE further reserves the right to disable the profile of any commenter participating in said activities.

COMMENTS
Tune In to BYTE
Facebook Twitter LinkedIn Newsletter RSS
Whitepapers
whitepaper
CIO Strategies for Consumerization: The Future of Enterprise Mobile Computing
In this paper you will learn the five trends shaping the future of enterprise mobility. Learn how the rise of social media as a business application, the lurring between work and home, the emergence of new mobile devices, the demand for tech savvy employees and changing expectations of corporate IT will fundamentally change the workplace.
whitepaper
Media Tablets in the Enterprise
In a survey of more than 1,700 information workers (iWorkers) in North America, notebooks, desktops, and smartphones were found to be “must-have” devices, while tablets, slates, and netbooks were relegated to “nice-to-have” status, according to a commissioned study conducted by Forrester Consulting on behalf of Dell and Intel.
Sponsored by: Dell
Upcoming Events
  • Smarter Mobile Security: Securing BYOD
  • Smarter Mobile Security: Minding the Gaps
  • Protecting Enterprise Data in the Cloud
  • Data-Centric Security In A Mobile World
  • Simplifying Desktop Virtualization - Really!


    • More Webcasts>>