CyberVis

Increasing situational awareness in face of cyber attack, supporting more agile decision making – visualizes impact on business processes.

There are many tools available for detecting and monitoring cyber attacks based on network traffic, and these are accompanied by a wide variety of visualisation tools designed to make such traffic tangible to a security analyst. Many visualisation approaches have been taken in the security domain that aim to help an analyst understand elements of an attack, the location of malicious activity on a network and the possible consequences for the wider system. In contrast, visualisation of the business impact of network attacks has received little attention.

The inability to directly relate an attack to particular enterprise business processes means that, in practice, any operator of the attack monitoring tools will not easily be able to determine the consequential impact and associated risk to an enterprise (in any but the simplest of systems). Indeed, in most environments the people tasked with monitoring systems won't have the knowledge or intuition required to formulate such reasoning. This means that the potential ramifications of attacks to an enterprise activity will not be understood until a monitoring officer has flagged an attack alert (or set of alerts) as of concern, and this information has been passed to somebody who can form a judgement about the enterprise-level impact and so priortise response options according to business need. The resulting delay limits an organisation's situational awareness possibly unnecessarily, and could result in lost opportunity for forming optimal risk mitigation and recovery actions.

There is no methodology that currently addresses the mapping of attacks to business process, and no decision support tools which would enable a real-time assessment of risk based on such a mapping. This is the capability gap that CyberVis has been conceived to address, specifically by developing a visualisation technology for communicating the possible impact of cyber attacks to business processes, optimised for human perception in order to facilitate the decision making core to an agile response.

We are developing a system which we intend will have the following characteristics:

• Can produce near real-time visuals of the areas of the network potentially under attack based on reported malicious activities, how they relate to business processes of concern, and the potential cascade effects across the enterprise both at the network layer and the business process layer. The visuals are based on a conventional network topology diagrammatic representation to optimise usability.
• Can support personalisation of visually salient graphics in order to offer adaptation for perception.
• Can support a “drill down” capability enabling both wide views of the enterprise network or processes, and deep views of either; an ability to pan out and take a broad view of the impact of an attack across a network or process layer will highlight possible cascade effects, a deep dive into specific processes or network components will support focused analysis where there are many events being flagged up as of interest.
• Can reflect uncertainty in environments where threat intelligence is from sources of varying provenance, or where the relationships between business process functions and the network is designed to be flexible and the exact mapping between the two at any point in time sometimes ambiguous, or where the network is dynamically changing with components unpredictably leaving or joining.
• Is supported by a clear methodology for initialisation and an unambiguous data format to ensure the integrity of “roll back” when past events require revisiting.

Our approach has been to pursue the theoretical consideration of how to relate attacks to business processes, the informatics requirements of such a tool (what to present and when) with a practical validation of the vision through creation of a working concept demonstrator.