Security Tools: Visualization Is Power

Visualization tools can help ferret out security problems, but the technology has a long way to go

March 01, 2007 — CSO — Information security practitioners are overloaded with information. There is network information, like reports of scans, viruses, worms and spam blasts. There are reports from host and authentication systems—users who haven't changed their passwords and should have, users who have been locked out and users who are just plain suspicious. There are the reports from deployment and patch management systems. These days we even need to be concerned about backup systems—are they backing up the data, and is that backup data encrypted?

One of the most basic ways to help people deal with information overload is to visualize it—that is, to draw it out as a graph, plot it on a map or use the data to make some kind of diagram. Unfortunately, many of the "visualizations" provided by today's security tools and vendors are little more than bar graphs and pie charts of information that's easy to gather but meaningless to analyze.

For example, one visualization that's popular with antispam vendors is a map of the world with pie-charts or color-coded countries that show the amount of spam that each part of the world is producing. The United States is red, because most of today's spam comes from computers that have been compromised and signed up for hacker botnets. Europe, Brazil and China come next. Africa is in last place—not because the Africans are masters of computer security, but because the continent doesn't have a lot of computers or connectivity. Yes, this information is mildly interesting. But it's positively worthless when it comes to formulating an antispam strategy. What's a CSO to do—block all the e-mail that's coming from the United States?

Simple management charts and graphs might make passable eye candy for the boardroom or an annual report, but they don't work well for security management because they don't give security professionals more insight into their problems. For planning purposes it matters little how much spam is coming from Russia.

More Practical Applications of Security Visualization

Turning collected data into information that can drive a security visualization is hard work: It's much easier to collect data than it is to analyze it. Spam vendors sometimes graph how the amount of spam changes from week to week. But what's more important is how the amount of spam is changing in relationship to another variable—for example, the amount of legitimate e-mail that's being delivered. Another important metric is how much spam is delaying the delivery of legitimate mail, and how much spam is costing an enterprise in terms of computational and human resources. A graph that shows the utilization of an organization's spam-processing appliances can be used to predict when it's going to be necessary to purchase new equipment.