The Cipher Brief sat down with Stuart Clarke, Chief Technical Officer for Cybersecurity at Nuix, to discuss how the visualization of data plays a critical role in detecting cyber threats, including insider threats originating from within a company itself. According to Clarke, visualization “solves a lot of problems” and being able to identify “key pieces of information is incredibly complicated” without visualization.
The Cipher Brief: Looking at the current cybersecurity environment, what are the threats that you find most worrying?
Stuart Clarke: That’s a good question. The threat that is probably most worrying is actually the insider threat. This is a big challenge for us, because they’re trusted individuals generally; insiders have access to everything. They’ve got access to intellectual property, PCI data, huge volumes of information, which in the wrong hands is really quite devastating. Protecting against that is a real challenge for organizations.
Every organization has a huge volume of data, and a huge number of users. They’re faced with two challenges: they’ve got the accidental insider threat, so someone unwillingly disclosing information, and either the malicious type or a whistleblower who is really looking to exfiltrate data.
Although it’s not a new threat, it’s worrying because it’s more prominent. We’re seeing it more in the media and it’s inspiring and influencing people. People are recognizing the value of the data they’re working with day to day. So, while there are lots of worrying trends such as ransomware, I think this threat is not going away. It’s becoming more recognized, but it’s not actually being resolved just yet.
TCB: My understanding is you have a lot of experience and expertise in data visualization. How does data visualization play into detecting or responding to threats like ransomware or malicious insiders?
SC: Visualizations for me solves a lot of problems. Whatever the type of cyber incident is, whether it be insider threat or ransomware, we need to inspect and analyze huge volumes of data. That creates a lot of noise.
Without visualization, without analytics, being able to identify the actual key pieces of information is incredibly complicated. Compounding that fact, the industry is very short on skills. And it will continue to be short on skills. We can’t produce enough people to respond to these incidents, so visualization really does meet that challenge as well. It allows us to put products in the hands of more people, to be able to protect and mitigate against these instances when they occur.
TCB: Can you give an example of how data visualization helps with this sort of thing? What is a slightly more concrete test case?
SC: A great one is visualizing log files. Let’s take an insider threat example. On a network, there’s log files recording which users are logging onto which devices, and they may log on hundreds of times throughout the course of a year, several times throughout the course of a day. Where visualizations really come into their own is, you can detect patterns. I may log into my machine every day at 8:30 and I may log out at 6:30 every day, and I may do that day in and day out. When you visualize that, it clusters together and it’s very uniform.
If I start to act erroneously, if I start logging in maybe at 6:30 in the morning, or maybe I’m logging in later at night from a remote location, visualizations really expose that information because it’s an outlier. It’s anomalous behavior, and that can’t be detected in a linear fashion. That’s a scenario that I’ve seen played out with many of our customers. Detecting those anomalies, detecting those outliers, is key to identifying trigger points of something potentially bad.
TCB: The field has advanced quite a bit in recent years. How do you see visualizing data moving forward, and what would you say are some of the key challenges that it’s going to be facing?
SC: The volume of data is a big challenge and technology really needs to support and give us solutions. I think one of the big things that we’re moving into is leveraging more machine learning. There are certainly organizations that are offering machine learning, but generally those machine learning technologies are in small pockets of isolation so we have machine learning around log files, for example, or we may have machine learning around virus attacks.
What we really need and where visualizations need to move to is a more holistic approach, where it’s not just about log files in isolation, it’s about log files and activity on the file system, and activity on the end point-bringing all of that together.
As those data volumes grow, the visualizations are only as good as the information you put into them. The analytics is only as good as the intelligence you feed into it. And I think the only way that that scales is leveraging machine learning and combining machine learning with analytics.
TCB: How adept are businesses, at this juncture, at properly using data visualization techniques in their incident responses, and how can they use it better?
SC: It’s a real mixed bag, actually. It’s not just about key word searching and filtering anymore. It’s about abstracting a layer, and taking it a layer up, and actually seeing the bigger picture, which you can only see by using data visualization. Organizations are certainly embracing that.
I think what needs to be recognized is, a lot of organizations are sort of security Frankensteins. We’ve got all of these disparate solutions, but there’s no overarching thing bringing all of that together. And I think a lot of organizations are on that journey now - and some are just not, so they’re missing that bigger picture. The only thing that can give that bigger picture is wrapping a layer of analytics around all of it. They’re bolting pieces together, which in isolation are very good, but they don’t really fit together that well.