Security Vision
What it is and why
When it is necessary to quickly (and thoughtfully) assess the situation as a whole and answer complex and complex questions, visualisation comes to the rescue. In our case we will talk about performance metrics mostly in the field of IS, but in fact all of the following applies to the business segment as well, as the logic of setting up BI solutions is similar.
Visualisation of performance results allows both to evaluate the performance of systems or people and to illustrate the need for a request, for example, the department's need for new vacancies or the rejection of a particular security tool.
Our article looks at what options are commonly offered out of the box, what questions they answer, and what best practices we ended up inheriting from product to product.
What are the needs?
Today's world is like a kaleidoscope: everything is changing at an incredible speed and what was just current is considered obsolete in a moment. Moreover, the amount of information per unit of time has become so dense that it becomes a challenge not to get confused in it. And when running a business, mistakes in interpreting data can be very costly.
In such circumstances, the value of visual analytics is multiplied. The expression ‘it is better to see it once’ is still relevant. It remains to make sure that what we see is clear, informative and allows us to draw conclusions quickly.
Before creating visual analytics, let's answer a few simple but key questions:
Who is it for?
Look at the business through the eyes of your customers - and half the job is done. A team leader starts every morning with an analysis of his team's KPIs, while the top manager of an organisation will be able to pay attention to the dashboard twice a year. The person at the control desk is constantly looking at one chart or the other.
With such simple inputs, several categories of target audience immediately emerge, and each of them requires its own set of analytics.
What is it for?
When creating analytical tools, you should always remember that any dashboard, chart or report should answer a question. Formulate this question correctly and you will already have a set of metrics that we need. For example, working in shifts requires an understanding of the efficiency of each shift - and a report is born, looking at which it becomes clear who worked how.
What others are offering
The variety of classes of IS solutions on the market is also dotted with a wide range of metrics, dashboards, and reports built into the product. What is the most common?
All-inclusive
In some products the vendor has already thought for us and included everything, in his opinion, the most necessary and important. Dozens, if not hundreds, of pre-configured visual layouts with limited scopes of metrics will be available out of the box.
This is quite convenient in case you want to take the system and start working right away without wasting time on customisation. Or, when you don't have your own analytical layouts that your team is used to, which conveniently display the subject area and metrics of your company.
Such reports or dashboards often can't be changed (sometimes you can play with the views: arrange them differently, perform simple filtering and select visual display of data). But usually vendors take into account the most common requests of the market, and everything configured in general case turns out to be necessary and relevant.
However, in this paradigm, there are cases when the vendor follows the logic of ‘one query - one report’, and only gives only technical indicators of the system itself visually in real time.
We don't argue, in some cases, if we are talking about IT, processes or monitoring, this approach is justified, but in the case of SOC, customisation will definitely be required.
Do it yourself
The main thing is not to go overboard with this customisation. It will be difficult to work if you suddenly find yourself with nothing (or almost nothing) configured out of the box.
A detailed and detailed designer is responsible for visualisation, you just need to make sure it's not too monstrous, heavy and complex for both querying and rendering. And it's great if you have embedded in it the usual html and you don't have to literally program the interface, which will require knowledge of not only, for example, SQL queries, but also some programming languages. The entry threshold for a specialist in customising visuals immediately increases, and the time that customers usually spend to customise infographics is multiplied many times over. Such qualified personnel, however, can not only ‘make beautiful’, but also fill metrics with complex and relevant analytics; in some companies there are entire departments of BI and not only specialists, creating reports as part of consulting services. Over time, of course, almost anything can be implemented with this approach.
This is exactly the approach that is found in outsourced solutions originally designed for a slightly different functionality, but now it is not uncommon that some vendors of the IS world have a somewhat similar approach.
For example, a number of BI solutions are built in this way: the user is given a large stock of mathematical formulas, queries to any system, and under the bonnet - an engine that supports python or java, or something more exotic; the flexibility of such systems is incomparable to anything, any block or button in this case is limited only by imagination.
Pleasant with useful
There is also an integrated approach - a bit of complex and not-so-complete examples out of the box, customised for the ‘average hospital’ customer.
The builder, as we noticed from experience, in this case is not so low-level - it is a no-code set of visual representations, for tuning of which you only need knowledge from the professional field (and a good analyst). Pre-configured reports and dashboards may suit most people with minor adjustments, while others can easily quickly adjust the rendering of missing metrics.
There are several vendors on the market now practising this approach, even domestic ones. We are one of them.
Our best practices
So, one more question remains to be answered:
How to implement it?
Based on our accumulated experience in creating IT products, we have developed an effective approach to creating targeted analytical tools.
The main and, at the same time, the most difficult thing remains the choice of key metrics for each specific process. They should be as simple and unambiguously interpretable as possible (Remember Edward Tufte's principle of ‘a little ink in a small space’?). It is better to allow the user to ‘fall through’ the diagram (drill-down) than to complicate it with a clutter of data.
You also need to choose the right period of data analysis: do we need information for the whole history, for a specific period of time or a slice of data for the current moment.
And don't forget about the little things, where the devil lies: correct names of charts and graphs, signed axes (with units of measurement), clear legend - all this will ensure clarity, precision and unambiguousness of our analytics.
Taking all of the above into account, we create a set of inbuilt reports and dashboards in our solutions with the ability to apply a role model, so that each employee sees only the metrics that are relevant to them.
Examples of our dashboards:
- An operational dashboard describes everything that is happening right now in your organisation. An employee will only need a few seconds to assess what's happening and take the right action if necessary
- Analytical Dashboard provides data for a more measured and thoughtful analysis that will help identify hidden patterns and patterns and adjust business processes accordingly.
- A strategic dashboard allows you to look at key metrics over a long period of time, make sure the company is on the right track, and, if necessary, adjust course or develop an additional development strategy.
- Many metrics related to geographical location (where the attack is coming from, which office is under attack and so on) are relevant for the IS field, that's why we didn't forget about the interactive map
Examples of our reports:
- Summary comprehensive reports for a specific period (week, month), which are filled with a large number of widgets. It is convenient to generate such reports on a schedule, so that at a certain time they come to the e-mail of a certain employee.
- Small reports based on the principle ‘one request - one report’. Such reports allow you to get information about a specific metric as quickly as possible
- In each of our solutions, we also provide the ability to upload a report on a specific object directly from the interface at any time. This allows you to get a ‘snapshot’ of the current state of any entity.
Also, in addition to classic examples of information presentation, we have made it a rule to fill the object cards themselves with useful infographics, be it link statistics or even a full-fledged Kill Chain attack.
Such mini-dashboards have proven to be a useful tool both in investigations and in presenting the results of their work in addition to the main reporting.
It is important to remember that any of the preconfigured analytical tools can be edited in any way, adapting them to your needs as much as possible without specific skills. And if the ‘boxed version’ does not cover any specific cases at all, our constructor will come to your aid, with the help of which you can quickly create the necessary analytical view.
Conclusion
Summing up, let's say that requests for high-quality visualisation are constantly growing, so we do not stand still, we constantly expand the set of our analytical tools and do not forget about design and layout.
