{"id":763,"date":"2015-03-29T16:58:18","date_gmt":"2015-03-30T00:58:18","guid":{"rendered":"http:\/\/raffy.ch\/blog\/?p=763"},"modified":"2015-03-29T16:58:18","modified_gmt":"2015-03-30T00:58:18","slug":"security-dashboards-where-to-start","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2015\/03\/29\/security-dashboards-where-to-start\/","title":{"rendered":"Security Dashboards &#8211; Where to Start"},"content":{"rendered":"<p>I just got off a call with a client and they asked me what they should put on their security dashboards. It&#8217;s a nice continuation of the discussion of the <a href=\"http:\/\/raffy.ch\/blog\/2015\/01\/15\/dashboards-in-the-security-opartions-center-soc\/\">SOC Overhead Dashboard<\/a>.<\/p>\n<p>Here are some thoughts. The list stems from a slide that I use during the <a href=\"http:\/\/ubm.io\/1z7vd3a\">Visual Analytics Workshop<\/a>:<\/p>\n<ul>\n<li><strong>Audience, audience, audience!<\/strong><\/li>\n<li><strong>Comprehensive Information<\/strong> (enough context) &#8211; use percentages, a single number of 100 unpatched machines doesn&#8217;t mean anything. Out of how many? How has it changed over time? etc.<\/li>\n<li><strong>Highlight important data<\/strong> &#8211; guide the user in absorbing data quickly<\/li>\n<li><strong>Use graphics when appropriate<\/strong> &#8211; tables or numbers are sometimes more effective<\/li>\n<li><strong>Good choice of graphics and design<\/strong> &#8211; treemaps might be useful, <a href=\"http:\/\/en.wikipedia.org\/wiki\/Bullet_graph\">bullet graphs<\/a> are great, apply Tufte&#8217;s data to ink ratio paradigm, etc.<\/li>\n<li><strong>Aesthetically pleasing <\/strong>&#8211; nobody likes to look at a boring dashboard<\/li>\n<li><strong>Enough information <\/strong>to decide if action is necessary<\/li>\n<li><strong>No scrolling<\/strong><\/li>\n<li><strong>Real-time vs. batch<\/strong>? (Refresh-rates)<\/li>\n<li><strong>Clear organization<\/strong><\/li>\n<\/ul>\n<p>Should you be tempted to put a <strong><em>world map<\/em><\/strong> on your dashboard, I challenge you to think really hard about what is actionable about that display. What does the viewer gain from looking at the map? Is there a takeaway for them? If so, go ahead, but most likely, either a bar chart or a simple table about the top attacking or the most attacked, or most seen sources or destinations is going to be more useful! Does physical proximity really matter?<\/p>\n<p><a href=\"http:\/\/www.amazon.com\/Information-Dashboard-Design-At-Glance\/dp\/1938377001\"><img decoding=\"async\" src=\"http:\/\/ecx.images-amazon.com\/images\/I\/41nMRjQpMEL.jpg\" style=\"float:right; width:100px\"\/><\/a>There is a fantastic book by Stephen Few also called: <a href=\"http:\/\/www.amazon.com\/Information-Dashboard-Design-At-Glance\/dp\/1938377001\">&#8220;Information Dashboard Design&#8221;<\/a>. I cannot recommend it enough if you are going to build a dashboard.<\/p>\n<p>Would love to hear your thoughts on the topic of security dashboards! And for an in depth and more elaborate treatment of the topic, attend the <a href=\"http:\/\/ubm.io\/1z7vd3a\">Visual Analytics workshop at BlackHat US<\/a>.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>I just got off a call with a client and they asked me what they should put on their security dashboards. It&#8217;s a nice continuation of the discussion of the SOC Overhead Dashboard. Here are some thoughts. The list stems from a slide that I use during the Visual Analytics Workshop: Audience, audience, audience! Comprehensive [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-763","post","type-post","status-publish","format-standard","hentry","category-visualization"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=763"}],"version-history":[{"count":11,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/763\/revisions"}],"predecessor-version":[{"id":792,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/763\/revisions\/792"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}