Nabil Nistar, Heimdal: “Without a well-thought-out process, analytics can just mean a lot of noise”

When it comes to security data, gathering it in one place is only half the job.

These days, gathering and analyzing data is no longer an option but a necessity for companies wanting to stay up-to-date with the current threat landscape. But manually creating charts or graphs to visualize all of your data from a number of different sources is not the way to go – our guest today explains that to gain actionable insights, security teams must adopt real-time smart visualization solutions.

To discuss the importance of security data visualization, the Cybernews team caught up with Nabil Nistar, the Head of Product Marketing at Heimdal.

What is data visualization and what are its benefits when it comes to cybersecurity?

Data visualization is simply the art of being able to view data arising from different points within an environment. In the context of security and the digital world, this translates to collecting data from the various sources within an organization or environment and presenting them in a coherent manner representing a metric. This could range from data across devices (endpoints), users, networks, emails, applications, and many more avenues, hence the presentation is important.

Visualization executed properly can be a powerful tool in the world of security to help security leaders, security operations and IT teams get a unified view across their whole digital estate. On the flip side, visualization that is not integrated or disparate adds to a lot of irrelevant information (presented as meaningless metrics) that then creates manual work for security teams to collate, decipher and present the data from single sources.

Smart data visualization in security is ingesting data from various points and presenting them in the form of real-time charts, graphs, or alerts that direct relevant operation or tactical teams to anomalies that they should react to instead of looking for a needle in a haystack!

It also allows for business leaders to shore up organizational security and behavior based on trends (for e.g. What areas of business are at risk? How many attacks on our website this month? Are we seeing an increase in phishing attacks on our senior managers?). For that reason, visualization in security must be multifaceted and customizable to adapt to the nature of business and its goals.

Can you explain the difference between data visualization and visual analytics?

Keeping it in the realm of security, data visualization is the art of presenting the aforementioned sources of data in a coherent manner while analytics is successfully capturing the signals as data emitted by the various points in an organization.

Without a well-thought-out process, analytics can just mean a lot of noise which leads to alert fatigue for the teams. This is where Telemetry plays a big role as a binding agent. Telemetry consists of automated communication processes from various data sources. This ensures data is successfully passing through to say a monitoring tool or platform. And from here, it is how this analytics flow is then presented in a meaningful manner for leaders and teams to perform actions on. Our Heimdal Threat-hunting & Action Center is an example of threat telemetry collected through a customer’s environment and where the analytics are presented in a visualized manner on our real-time monitoring platform, providing security teams a complete 360-degree threat-centric view of things such as risk scores, events, trends and Indicators of Compromise (IoC) globally.

In our case, what makes the data visualization important is how our XTP (eXtended Threat Protection) engine cleverly maps the ingested analytics using advanced attack and defensive techniques such as MITRE ATT&CK. This makes the visualized metrics actionable for the security teams and helps with compliance measures.

What types of organizations do you think should be especially concerned with adopting visual analytics technology?

I strongly believe that the power of visualization should be adopted by all industries. A few months ago, we conducted a focus group with varied industries and leaders to talk about this subject with security as the underlying theme. Visualization came up as a pain point across the group unanimously. All organizations reported how hard it is to keep on track of single-point products that emit a lot of noise without contextualizing the findings.

The leaders of these organizations were particularly looking to add capabilities to help them identify organizational risks, maintain and uphold compliance as well as bring security to the board rooms. Meanwhile, SecOps pointed out that top of mind for them are eliminating alert fatigue and incorporating solutions that speed-up threat hunting and remediation processes such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

If I had to pick, it would be Manufacturing, Healthcare, Financial, and Public Sector organizations that would benefit from adding the power of visualization to their toolkits as these industries are seeing a rise in attacks such as Malware, Ransomware, and Phishing and are also extremely bound by compliance too.

Besides data visualization solutions, what other technologies do you think would greatly enhance business operations?I would say actionability. In other words, solutions that incorporate remediations, and recommendations, and help teams to respond. There are a lot of solutions that can pick up various data signals and stunningly present them back for organizations to tackle. And to that I say, so what? Yes, that is part of the solution and important but vanity metrics aside if the truth of the matter is that operation teams are struggling to keep up with the volume of alerts and attacks, it does not matter how it is presented!What they require is to visualize better but also know what action to take and when to do so, without disrupting business operations or end-user experience. Now that is a big task and impossible to do if our front-liners are not empowered with the critical data and tools to perform their duties.The same goes for boardrooms, they need relevant metrics for security leaders that can articulate to non-technical members about the state of organizational security as it stands and back it up with the progress made as their counterparts in Sales and Marketing do! Our Threat-hunting and Action Center is prime to be a visual storyboard for SecOps and leaders alike but with added actionability incorporated whether it is for hunting, remediation, or compliance/reporting.

In your opinion, why do certain companies hesitate to implement new and innovative solutions, despite all the technological advancements available nowadays?Leadership roles such as CISOs, CTOs, and CIOs are all instrumental in bringing digital and security transformation into organizations. They are industry veterans and often take up the charge to lead from the front. Although they have the best of intentions, they are often set back by legacy tools, manual processes, and in recent years the security skills gap. For them, balancing getting the house in order while fending off the latest wave threats to being locked in with existing toolkits makes it hard to transform without the fear of business disruption and expertise to project manage the change. This often leads to putting it off to tackle the business as usual responsibilities which they know are not ideal. We speak to these leaders all the time and their vision of implementing innovative solutions to achieve a Zero Trust environment or simply to encompass defense in depth is forever in their minds. Our method of helping security leaders is by demonstrating the value of unified security that works seamlessly as one entity across their digital estate. This eliminates the need of having several single-point solutions to manage for their overloaded teams. And to achieve that successfully, we work together with these stakeholders as partners to ensure there are no business disruptions in the process and that they are up and running from Day 1.

Talking about cybersecurity, what tools or technologies do you think will be trending in 2023?The industry has been oddly quiet with not a lot of innovations being pushed out. This is partly due to trying to keep on top of the evolving threatscape which is far outpacing the innovations in this field.

I would love to say that our Threat-hunting and Action Center will be a strong contender in 2023 with our unique product that helps visualization to actionability.

Other than that, we will see mass adoption of technology unification in 2023 and beyond. Organizations will look to add better technology layers that are seamless, integrated, and consolidated, thus ditching a lot of the single-point solutions. I also think we will see more projects that drive AI, ML, and NLP modeling and training to smarten up products and keep on top of the threatscape.