You (Our Customers and Community) have spoken and we have heard you loud and clear. You need visualization of your data in the ThreatConnect platform, and in the spirit of the holiday season we have granted your wish. In ThreatConnect Episode IV: A New Scope, when you log in, you will see a compact and concise visualization of all your data on the ThreatConnect dashboard. So say bye bye to the boring old dashboard below.
And say hello to our all new super shiny dashboard with visualizations.
Before we concentrate on the visualization aspect of the dashboard, let’s just say that quite a few things have changed (for the better). We have a slightly new and better working color scheme, and the layout of the dashboard has changed. On the left you have access to your Tasks, and on the right you have the all new visualization elements. Below the visualization sections you have access to posts. Discussing the entire redesign of the dashboard is out of scope for this blog post, so we are going to talk about the most interesting aspect of the new dashboard, visualizations.
The visualizations are grouped in 4 sections, Sources, Indicators, Intelligence, and Activities. Each section is used to group together information that is logically similar, and uses a visualization technique that we feel is most appropriate for that section. Using this one screen you get an overview of all your data in the ThreatConnect platform and some more information to boot. Each section’s visualization is discussed in detail below. What is important to remember is that the scope of data used for each visualization depends on the context you are in. By default you are in the global context so the information shown is an aggregate of all your threat intel data across your organization, communities, and intel feeds. By selecting a specific organization/community/intel feed you can drill down to metrics specific to that particular organization/community/intel feed. You can do so by selecting the organization/community/intel feed from the drop down list in the top right corner. e.g. figure 4 shows common community data.
The sources section plots all sources of indicators (your organization, communities, intel feeds) on threat rating versus confidence quadrants. This allows you to compare and contrast the sources you have access to. The position of a source on this chart is determined by its average rating and average confidence. In addition, the size of the source depends on the count of indicators, and the opacity indicates the percentage of enriched indicators in that source. By hovering over any one source you will see it highlighted and a bunch of metrics for that source (shown in figure 5).
The motivation of this plot is to be able to visualize a whole lot of information about each source and be able to compare them against each other and the rest, all in one shot. The quadrant scheme gives you an easy way to find your high-confidence/high-rating sources versus the other combinations.
The Indicators section shows you a breakdown of enriched versus non-enriched indicators you have in the system. Here by enriched we mean indicators that have tags or attributes associated with them. Our hypothesis is that: The more enriched indicators you have access to the better the quality of your threat intel data. Right below that you see the count of total indicators and a sparkling showing history of indicator counts. Hovering over the sparkline gives you a pop-up with value corresponding to that date in history. And finally we have a bar chart comparing the counts of indicators by indicator types.
Intelligence and Activities
The Intelligence Section summarizes the, you guessed it, intelligence in your platform. We show a count of various types of intelligence as well as a trend line for historic values. Similarly the Activities section summaries the activities in the system. It may seem like there is not much visualization going on over here, but don’t be deceived. Just because we didn’t stuff this information in a pie-chart doesn’t mean there is no visualization. In fact considering the characteristics of this data, it makes perfect sense to show a count and a trend line for each of these metrics. You can compare the trends of each intelligence type and each activity type as well as access individual values (by hovering over). After all the purpose of visualization is not just to display pretty pictures, but rather to inform and educate using visual media.
Towards a more powerful and Interactive Platform.
We have strived very hard to stay away from cliché visualization/dashboard techniques and come up with something that is not only pleasing to look at but actually useful in summarizing the threat intel in your system. This is just the first version of our new dashboard and we have more detailed visualizations for each section in the pipeline. We would love to hear back from you about your thoughts and concerns about our Data-Viz efforts. Our ultimate aim is to provide you with a powerful and interactive visualization tool as part of the ThreatConnect Platform.
Bhaskar Karambelkar is Data Science Lead at ThreatConnect Inc. In his role Bhaskar leads the analytics and visualization efforts. Bhaskar has over 18 years of industry experience in IT, 10 of which are in InfoSec domain. Bhaskar loves to integrate traditional InfoSec research with data analytics and visualization for presenting a complete picture of the InfoSec landscape. Bhaskar has a Bachelors degree in electronics engineering and working on a Masters degree in Predictive Analytics.
Bhaskar Karambelkar is Data Science Lead at ThreatConnect Inc. In his role Bhaskar leads the analytics and visualization efforts. Bhaskar has over 18 years of industry experience in IT, 10 of which are in InfoSec domain. Bhaskar loves to integrate traditional InfoSec research with data analytics and visualization for presenting a complete picture of the InfoSec landscape.
Bhaskar has a Bachelors degree in electronics engineering and working on a Masters degree in Predictive Analytics.
Interested in learning more about how ThreatConnect can help unite your security team and protect your enterprise?