Producing data visualizations that are both beautiful as well as functional is both difficult and uncommon. At the same time, finding the right balance between beauty and function can have a tremendous impact.
Personally, I’ve been fascinated with smart visualizations of complex data for years. Being able to tell a story with compelling visuals, especially in a deeply technical field like InfoSec, is an art form. Security practitioners are particularly fond of the benefits afforded by visualization libraries like D3.js or REAVIZ on top of security data. However, some applications require a novel approach.
Alert Clustering for Security Operations
Gone are the days when security teams focused on investigating every single security alert. Today, we widely recognize this approach as untenable. With dozens of detection solutions competing for analysts’ attention, clustering alerts or detections into a single actionable item, sometimes called “an insight,” has become a more common practice.
Even so, analysts have dozens of actionable items to triage, potentially made up of hundreds of individual detections. Considering the amount of time spent on incident investigations, being able to describe and prioritize these groups quickly has become increasingly important. It’s a difficult problem to solve with typical incident response workflows, but a perfect scenario for a thoughtful visualization.
Considering the Needs
A user interface dedicated to insight-driven workflow has to consider the following challenges:
- Information density in limited screen space;
- The need to visually identify and remember individual insights or alert clusters;
- The need to quickly compare and contrast the findings and to allow analysts to prioritize their investigations.
Applying hive plots to these needs works out very well.
Enter the Hive
For those who are unfamiliar, a hive plot is similar to a parallel coordinates chart and allows mapping the significant values to multiple dimensions or axes.
However, there are a few significant differences:
- Unlike parallel coordinates, hive plots work better with a limited number of dimensions, ideally 3 to 5.
- A hive plot can show relationships between each pair of coordinates or axes.
- The hive plot creates a unique visual fingerprint of the data it represents.
- Hive plots take less visual space. Because of this, combining multiple plots in a grid can help highlight their differences for faster analysis.
In terms of information, hive plot grids can be very dense, which makes them perfect for security analysis use cases like Incident Response and alert triage. Hiveplot.com, by Dr. Martin Krzywinski, has a good number of examples and case studies.
Hive Plots for Security Analytics
So how can hive plot help with security analytics and alert triage?
Assuming a detection event contains a mapping to an attack stage (MITRE ATT&CK is a good start), we can use the following key dimensions for the axes in the plot: Time of Detection, normalized Severity, and Attack Stage. With every complete ‘ring’ representing a single alert, and axes directed inside-out, an alert cluster can produce a unique visual shape.
What this means is that less severe detection events which occurred earlier, mapped to early attack stages (e.g., Reconnaissance), has smaller rings than those which occurred more recently, represent later stages (e.g., Exfiltration), and tagged as higher severity.
To a human mind, “larger” means “more important,” so recognizing exciting patterns in alert clusters becomes accessible and intuitive, from “low and slow” attack campaigns to “all hell just broke loose.”
To my knowledge, this is the first time hive plots had been used in cybersecurity.
Using Hive Plot in Your Project
However, if you’re comfortable with React, I urge you to check out Austin McDaniel’s implementation as a part of his excellent component library, REAVIZ. It leverages React natively for rendering the components while using D3 under the hood for calculations. It provides an easy way to get started creating charts without sacrificing customization ability.
Here’s what the hive can look like inside an analyst interface, as designed by Harlan Elam:
I’m proud to have collaborated with Austin and Harlan on adopting hive plots for incident response, and I’m excited about the power they unlock in security applications.
I would love to hear your thoughts.
The title image is “Zen Hive Plot” by Chris DeMartini