In cyber-security forensics, as in other areas where large numbers of unstructured data need to be collected and analysed, data must be stored and organised in such a way as to allow patterns, relationships, etc to be identified and included in the repository. In most cases it is the linkages between the data that convey information and not the data itself.
In this context, visualisation plays a key role in augmenting the human analysis and providing context to the analyst. Especially in rapidly changing situations, the ability to focus on the important, rather than the mundane, is key to securing Information and Communications Technology infrastructures and associated data. This is particularly important for most of the Micro Enterprises (MEs) and Small and Medium Enterprises (SMEs) whose resources and cybersecurity skills are limited.
The PUZZLE Monitoring Dashboard is responsible for visualising several indicators and alerts derived from the analysis of the rest PUZZLE ecosystem, such as the PUZZLE Continuous Cyber Risk Assessment service. The initial release allows the user to choose the deployment of interest, create/edit policies that will take immediate action over the monitored system. Then, as shown in the figure, the user can see the monitored components of the selected deployment as a network graph with additional information appearing as tooltip, as well as a timeline that depicts all the events and incidents that were detected. By clicking on any system component, the user is redirected to another section of the PUZZLE Monitoring Dashboard, where more details about the current and/or historical status are presented.
At the same time, experienced security analysts can also benefit from near real-time and high-quality cybersecurity-oriented information from a variety of sources, including external ones.
The PUZZLE Monitoring Dashboard gives also access to the Collective and Interactive Data Visualiser (CIDV), which allows end users to retrieve, analyse and visualise Cyber Threat Intelligence (CTI) from the PUZZLE blockchain services. The CIDV shall allow security personnel to query one, or more channels for CTI events, visualise attack vectors anonymously, as well as support filters (spatiotemporal, incident type, etc.) which enable threat hunting and correlation between events and actions taking place in peers’ infrastructure.
As a conclusion, while security analysts will benefit from the automated efficient processing of the available cybersecurity-oriented information and the extraction of advanced knowledge, at the end of the day, human input is required to complete the analysis which renders effective and intuitive visualisation techniques as key for a robust security posture to external and internal threats.
The PUZZLE ecosystem shall support security analysts and administrators in obtaining situational-awareness about incidents on their own systems, as well as ongoing attacks on similar infrastructures and reacting in a cost-effective and reliable manner.
Author: AEGIS IT RESEARCH