I'm a very big - nay, a huge t-shirt fan. I'll admit, I even subscribe to a
t-shirt blog. If I attended meetings, it'd be an illness.
Threadless is a tee site I'm particularly fond of. While browsing their seemingly bottomless vault of shirts for sale, I came across
this one. It hit home for a number of reasons.
Over the past few weeks I've struggled with the problem of visualizing a massive amount of data relating to some security incidents. This has proven a worthy endeavor not only in illustrating causality that isn't apparent in the raw data itself, but also in communicating to management various parts of the "story," letting them draw their own conclusions. I'll hopefully get to writing about a couple of techniques (no data, naturally) that have been particularly helpful in the coming weeks.
In a number of cases, the approaches I've taken have failed, most due to "over-dimensionality;" trying to cram too many variables into the diagram. What resulted was cool, but required far too much explanation - much like the visualization in this picture. The data itself in this case is likely meaningless, but it's a good example of what can result when analysts are overly ambitious in attempting to communicate findings. It's easy to do. When we understand all of the data we have, thanks to many long hours of study and analysis, we feel every detail is important because we understand its contribution. But in telling the story, guiding readers to a conclusion, or illustrating causality, many times it is necessary to gloss over detail that can be spoken to or revealed if additional questions arise.
I've found that studying
Tufte's literature has been a great help in improving my skills in visualization throughout the course of this calendar year, and while I appreciated this skill before, I now realize how critical it is to this profession. I'd encourage everyone in InfoSec to find a way to sharpen their skills in data visualization. It will pay dividends in your career you didn't expect.
With special thanks to my boss for initially inspiring me to investigate this topic more thoroughly.
I will be participating in a Defense Industrial Base / Law Enforcement / Dept of Defense panel at the SANS WhatWorks Summit in Forensics and Incident Response. The topic, broadly, will be "How are government agencies and contractors responding to large scale intrusions successfully?" Even if you don't do work with or for the government, I would encourage you to attend if you happen to be at the summit. The DoD, and by extension their contractors, see the bleeding edge of new offensive techniques, often years before other commercial sectors. Law enforcement organizations, naturally, become involved and bear witness to the same. If you're interested in how large organizations defend themselves against and respond to attacks that you will likely be seeing in the future, this will hopefully be a good session to attend.
Posts
