Exploring the role of experts' knowledge in visualizations for cyber security

Knowledge-assisted visualization is a concept in information visualization that incorporates the knowledge conversion processes into the design, implementation and the utilization of visualization tools. Knowledge conversion processes describe the exchange of knowledge between humans and machines in the form of externalization, internalization, collaboration, and combination. In this paper, we bring those concepts to the cyber security visualization domain. We draw from state of the art research works in knowledge-assisted visualization to derive a method for identifying the concepts. We then analyze VizSec\footnote{IEEE Symposium on Visualization for Cyber Security papers and present the lay of the land of knowledge conversion in ten years of research in VizSec

Visualization Evaluation for Cyber Security: Trends and Future Directions

The Visualization for Cyber Security research community (VizSec) addresses longstanding challenges in cyber security by adapting and evaluating information visualization techniques with application to the cyber security domain. This research effort has created many tools and techniques that could be applied to improve cyber security, yet the community has not yet established unified standards for evaluating these approaches to predict their operational validity. In this paper, we survey and categorize the evaluation metrics, components and techniques that have been utilized in the past decade of VizSec research literature. We also discuss existing methodological gaps in evaluating visualization in cyber security, and suggest potential avenues for future re- search in order to help establish an agenda for advancing the state-of-the-art in evaluating cyber security visualization

A Security Information and Event Management Pattern

In order to achieve a high level of cyber security awareness most mid to large sized companies use Security Information and Event Management (SIEM) embedded into a Security Operations Center. These systems enable the centralized collection and analysis of security relevant information generated by a variety of different systems, to detect advanced threats and to improve reaction time in case of an incident. In this paper, we derive a generic SIEM pattern by analyzing already existing tools on the market, among additional information. Thereby, we adhere to a bottom-up process for pattern identification and authoring. This article can serve as a foundation to understand SIEM in general and support developers of existing or new SIEM systems to increase reusability by defining and identifying general software modules inherent in SIEM

Navigating Cyberthreat Intelligence with CYBEX-P: Dashboard Design and User Experience

As the world’s data exponentially grows, two major problems increasingly need to be solved. The first is how to interpret large and complex datasets so that actionable insight can be achieved. The second is how to effectively protect these data and the assets they represent. This thesis’ topic lies at the intersection of these two crucial issues. The research presented in the thesis learns from past work on applying data visualization to multiple domains, with a focus on cybersecurity visualization. These learnings were then applied to a new research area: cybersecurity information sharing. The frontend considerations for CYBEX-P, a cybersecurity information sharing platform developed at UNR, are discussed in detail. A user-facing web application was developed from these requirements, resulting in an approachable, highly visual cyberthreat investigation tool. The threat-intelligence graph at the center of this dashboard-style tool allows analysts to interact with indicators of compromise and efficiently reach security conclusions. In addition to research and related software development, a user study was conducted with participants from cybersecurity backgrounds to test different visualization configurations. Subsequent analysis revealed that the misuse of simple visual properties can lead to perilous reductions in accuracy and response-time. Recommendations are provided for avoiding these pitfalls and balancing information density. The study results inform the final functionalities of the CYBEX-P front end and serve as a foundation for similar prospective tools. By improving how insights can be extracted from large cybersecurity datasets, the work presented in the thesis paves the way towards a more secure and informed future in a technology-driven world

Harnessing Human Potential for Security Analytics

Humans are often considered the weakest link in cybersecurity. As a result, their potential has been continuously neglected. However, in recent years there is a contrasting development recognizing that humans can benefit the area of security analytics, especially in the case of security incidents that leave no technical traces. Therefore, the demand becomes apparent to see humans not only as a problem but also as part of the solution. In line with this shift in the perception of humans, the present dissertation pursues the research vision to evolve from a human-as-a-problem to a human-as-a-solution view in cybersecurity. A step in this direction is taken by exploring the research question of how humans can be integrated into security analytics to contribute to the improvement of the overall security posture. In addition to laying foundations in the field of security analytics, this question is approached from two directions. On the one hand, an approach in the context of the human-as-a-security-sensor paradigm is developed which harnesses the potential of security novices to detect security incidents while maintaining high data quality of human-provided information. On the other hand, contributions are made to better leverage the potential of security experts within a SOC. Besides elaborating the current state in research, a tool for determining the target state of a SOC in the form of a maturity model is developed. Based on this, the integration of security experts was improved by the innovative application of digital twins within SOCs. Accordingly, a framework is created that improves manual security analyses by simulating attacks within a digital twin. Furthermore, a cyber range was created, which offers a realistic training environment for security experts based on this digital twin