Scribd
Upload
12 views

25 Step SecVis Creation Process

The 25 step process for creating security visualizations (sec-vis) involves planning, preparation, design/implementation, testing/validation, and certification. Key steps include deciding the goals and data sources, preparing the data by cleaning and filtering, designing visual elements like charts and colors, implementing calculations and mappings from data to visuals, testing using validation data, and certifying the final sec-vis.

Uploaded by

John Nyachuba
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

25 Step SecVis Creation Process

The 25 step process for creating security visualizations (sec-vis) involves planning, preparation, design/implementation, testing/validation, and certification. Key steps include deciding the goals and data sources, preparing the data by cleaning and filtering, designing visual elements like charts and colors, implementing calculations and mappings from data to visuals, testing using validation data, and certifying the final sec-vis.

Uploaded by

John Nyachuba
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

25 Step Sec-Vis Creation Process

Decision & Planning


1) Decide on the aim of the visualization

• Interact with data

• Identify trends

• Discover relationships

• Discover patterns

• Understand data

• Summarize data

• Support decisions

2) Do we target a specific security analysis?

• Triage Analysis

• Escalation Analysis

• Correlation Analysis

• Threat Analysis

• Incident Response Analysis

• Attack Forecasting

• Forensic Analysis

(e.g. target: forensic

IDS Alerts + Network Flow +OS Logs +Application Logs

3) Do we target a specific threat or vulnerability?

Triage analysis is the initial stage of analysis, in which the raw


data is filtered by weeding out false alerts or reports of normal
network events, and provides the analysis basis of escalation
analysis and correlation analysis. The related data are then
grouped and transformed into sets of incidents. Beyond the
network event level, threat analysis and incident response
analysis are targeted at a higher-level Cyber SA, in which
prediction and attack forecasting are mainly relied on various
types of intelligence. At this step forensic analysis requires
preserving evidence of incidents for further legal operations.
4) Decide on the data source(s)

• Network Traffic Data

• Firewall configuration data

• Firewall log data

• Intrusion detection and/or preventions system alert log

• Operating system log


• Web server log

• Application server log

• Web proxy log

• Mail server log

• Database access log

• Router configurations log

• Enterprise specific application log

5) Are we dependent on a standard?

6) More data related decisions

• Real time of historical data

• Existing data or future data?

• How to collect, transfer, store?

• One or multiple data sources,

• How to merge multiple data

• The frequency of data

• The format of data

7) Users and user groups

• The level of detail

• The level of difficulty

• System design (Authorized user ?)

• Data (Function or data dependence on user profile?)

8) Initial decisions related to display types and elements

• Which chart types are more suitable?

• Single chart, dashboard, overlapping charts?

• 2D or 3-D ?

• The level of interactivity ?

9) Initial technology decisions -Examine available alternatives


Preparation
10) Prepare environment

• Install all necessary software (sensor, collector, library, visualization tool, IDE)

• Integrate necessary parts

• Education for tools & technologies

11) Prepare data

• Clean

• Fill missing parts

• Filter out unnecessary data parts

12) Prepare standards data

Design & Implementation


13) Decide on data attributes

• User name, user id’s

• Source & destination IPs

• Source & destination ports

• Alert types

• Event type

• Time

• Duration

• Error type

• Asset id

• Departmental division

• Geo Info(Coordinates)

14) Decide on data calculations and presentations

• Aggregation (Summary)

1) Count

2) Size

• Difference (Pattern Detection, Summary)

1) Count
2) Size

3) Set

• Grouping (Interact with data , Understand data)

1) Group of users

2) Group of IPs, Ports

3) Group of applications

• Subsetting (Static Filtering)

• Ratio (Understand)

• Timing (Understand Data, Decision Support)

• Complex Calculations & Comparisons

1) Timing + Aggregation (Trend)

2) Timing + Difference (Trend)

3) Aggregation + Aggregation (Comparison, Correlation )

4) Set + Set (Comparison of Data to Find Patterns)(Correlation of different time


intervals or different data)

5) Timing + Group(User, IP, Host, Port) (Timetable)

6) Aggregation + Group(User, IP, Port, Host)

7) Overlapping (Comparison)

8) Statistical calculations

• Decisions Related to Visual Appearance

15) Decide on chart types and other display elements

16) Decide axis values and similar display values

• Map data attributes to data axes

• May data to size, length, location of the display elements

17) Decide on text

• Title,

• Caption,

• Annotation,

• Value
• Detail text

18) Decide on the use of colors

• Use of color schema generator (https://coolors.co/)

• Mapping data attributes or groups to the colors

19) Design Legend

• Color, Text, Size

20) Decide on the interactivity triggers and functions.

Some triggers

• Hover

• Write

• Click

Some functions:

• Pick some part or all of an existing visual representation;

• Locate a point of interest (which may not have an existing representation);

• Stroke a path;

• Choose an option from a list of options;

• Valuate by inputting a number; and

• Write by inputting text.

Test & Validate


21) Prepare Validation Data

Known data sets, laboratory data, random data, real-time data

22) Prepare Case-study

23) Create the visualizations

24) Expert Evaluation/Surveying or similar

Certification
25) Certification

You might also like