Understand and Mitigate Risk with Intuitive Visualization

Security_Guest Frequent Contributor.
Frequent Contributor.
1 0 1,340

Interset can generate a list of your riskiest users just by analyzing the data that routinely flows through your organization. Compiling a list like this would normally take security analysts a tremendous amount of effort and time. Keeping that list updated on a daily basis would add to that challenge. In contrast, thanks to machine learning and advanced statistical analysis, Interset can provide the equivalent information with no manual effort.

Visualization Blog Figure 1

Sounds ideal, doesn’t it? In reality, there is a bit more Interset does to make the findings actionable… Knowing who is risky in your organization is not particularly useful unless you can understand the actions that made the individual risky. This context is essential to interpreting the analytical results.

The need for context was best explained in one of my favorite books, the 1980 sci-fi classic, The Hitchiker’s Guide to the Galaxy, by Douglas Adams. In it he wrote about the computer Deep Thought – a computer created with the sole purpose of finding out The Answer to Life, The Universe, and Everything. Finally, after 7.5 million years of calculation, Deep Thought concluded that The Answer to Life, The Universe, and Everything is: 42. Unfortunately, it turned out that it would take even longer and require an even more powerful computer to calculate The Question to Life, The Universe, and Everything! Context is everything.

Fortunately, Interset’s user interface (UI) provides highly interactive visualizations that allow you to slice and dice our anomalies, violations and even raw event data—so you can better understand where risk is coming from.

One of the most powerful tools at your disposal for exploring Interset anomalies and violations is the “matrix” visualization. It is a deceptively simple graph that plots anomalies and violations as a function of risk over time. The color of the square emphasizes the riskiness of the activities so you can see when they happened, at a glance.

Visualization Blog Figure 2

If the square is red, there are one or more risky things that happened at that time. Clicking on the square reveals the timeline of risky activities for that range in risk and time.

Visualization Blog Figure 3

Selecting any of the items in the timeline will allow you to dive deeper into the data. In this example, we see that Joshua Newman was active at an hour that was not expected based on previous observations of his behavior.

Visualization Blog Figure 4

In the above examples, we have restricted our investigation to Joshua Newman (in fact, we entered this exploration by clicking on Joshua’s name in the Top Risky User’s list). While that might be a great starting point in determining what Joshua has been up to, Interset also allows you to open up exploration through the use of an advanced query box at the top of the Exploration page and pivot an investigation based on different sub-populations, machines, printers, tagged entities or anomalies, and more.

Visualization Blog Figure 5

Performance is an integral part of the Interset experience—we don’t want investigators to be distracted by delays as the screen refreshes or data is fetched from the server. The entire UI refreshes quickly and provides instant feedback based on the selected time range and filters. Select cells in the Matrix—zoom in, zoom out, drag around—and all the visualizations and lists on the page will remain in sync.

In addition to a highly performant UI, we recognize the need for flexibility. There are no limitations when exploring the data—choose any time range, any query parameters, even scroll through every single bit of data we have in an infinitely long scroll—the UI will remain responsive so you can focus on your investigation (this is amazing considering how much data we analyze to bring these results!).

Interset flips traditional threat hunting workflow on its head by providing analysts with investigative leads from the start. Our UI then completes the picture by showing all the anomalous activities that have been detected and empowers analysts by giving easy access to the raw event data that triggered the analytical models. Interset provides the tools needed to visualize risk at multiple scales, from the entire organization to any subpopulation you can think of (thanks to our powerful query engine), down to the “subatomic” level with our event browser.

This overview provides just a glimpse of our product’s capabilities. We have created a unique user experience that allows you to not only see where risk is in your organization but also answers a wide variety of questions about that risk.

If you happen to be going to Black Hat USA 2019, I hope you’ll pop by booth #947 to say “hi”, where I’ll be happy to answer your questions about UX, Interset, and Everything!

 

Mike Cyze is a Front End Architect in Product Management at Micro Focus Interset.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.