How User Interface Design Drives Better Threat Detection
The most well-known data breach in our industry occurred in December 2013, when more than 40 million credit card numbers were stolen from nearly 2,000 Target stores. The investigation and the conclusions from that case are still being studied today.
While the Target breach may seem like a relic from the past, the security problems it exposed are still a concern for organizations today. Enterprises struggle to detect attacks, find network blind spots, improve security posture, and reduce false positives and security incidents. Oftentimes, security policies go unenforced or disrupt legitimate users from getting their work done, and there is no way to verify non-malicious changes in user activity.
How can you easily prioritize incidents?
Preempt wants to not only help you detect security threats, but we’ve made it our mission to make it easier for you to consume the data. Organizations can be easily overwhelmed by the numerous alerts that find it difficult to prioritize their workload.
Alerts in your security system should be represented properly; otherwise, it will be very difficult to pick out the high severity alerts from the ones that pose lesser risk to your organization. This is the reason we pay attention to the smallest details in our user interface: to give overworked security teams the ability to respond to threats efficiently.
One of the main roles of a security analytics tool is to display which incident is urgent or critical with no latency. To achieve this, the alert (or incident) needs to accurately reflect the severity level with no false positives. The visualization needs to be so succinct that users standing meters away from the dashboard should be able to quickly distinguish between severity levels.
There are several visualization methods but the main rule of thumb is that you cannot depend on just one type of method to display the severity of an incident.
Here are the different ways you can categorize security incidents:
One of the most recognizable elements of cybersecurity visualization is the color palette that is applied to alert classification.
Depending on the level of severity, the color changes to depict the criticality of the alert with the standard color of red as the most critical. Most security products on the market are divided into two main classifications: 3 tiered or 5 tiered severity levels.
However, classifying alerts only by color is not enough. According to statistics, the most common type of color blindness is between the colors green and red. 8% of men and 0.5% of women cannot tell the difference between these two colors.
Moreover, our users own different kinds of display screens and it is often difficult to predict how the colors will be displayed from one monitor to another.
Here are examples of a 5-tiered security color palette:
Here is an example of a 3 tiered security color palette:
Because green is often associated with “go” or “good”, it is often used to reflect an alert that is less critical. However, this may not be the wisest choice given that a user may be colorblind to green or has a monitor that does not display the intended color. A better solution would be replacing the green color with a grey or blue.
Green is not the only problematic color on the security color palate as the yellow hue poses a problem on white backgrounds because it is difficult to differentiate between the two colors whether on a screen or in printed collateral.
Usually, the scores are divided into three main colors: green/blue, yellow/orange and red. Using more than three colors usually does not have the same effect, as the other color hues are very similar to each other and do not offer a clear meaning. For example, two other red hues can be hard to differentiate at a glance and even if differentiated, it is hard to take a definitive course of action based on a shade of red.
Many security solutions use icons as the second element to help classify alerts. A set of severity icons can become an integral part of the company’s branding as well, like Siemplify or Cybereason.
Like security color palettes, security icons aren’t as easy as they seem as there is often difficult coming to a consensus regarding a set of icons. From experience, I would personally recommend organizations use icons for up to 3 severity levels. Here’s why:
See an example of 3 severity levels set:
Now, take a look at an example of 5 severity levels:
The five-icon set is much more difficult to understand than a 3 severity set. Is the flag the best choice for level 2 severity? Isn’t the flame too extreme and what does that even mean? The main problem with a set of 5 icons is that it opens up the icons for individual interpretation. It is not clear what each of the icons mean after the set of 3.
Some individuals might see the flag at a higher level than the hazard/alert sign, and some might view the fire to have a different meaning altogether.
Trying to combine a five-tiered color palette with a set of 3 icon set is a bad idea as well. As you can see below, the variations of colors on the same icon widens the range of interpretations:
There is only one difference between the top 3 levels which is the yellow, orange, red color. Applying different colors to the same icon will confuse users even more as the delineation between the different hazard/alert signs are even more unclear.
When this combination is shown to a colorblind user, it creates more confusion as to what each icon represents as the lowest severity hazard/alert icon looks less severe than the “i” information icon.
There is another issue with severity icons: Icons are open to interpretations and one icon might have different meanings for different people. For example, the “i” can be interpreted as system messages or extra information that appears next to forms, filters, and etc to help guide a user or they could be an alert that raises a minor issue. Similarly, the flag icon or the hazard/alert icon can be interpreted in multiple ways as well. Because icons, like colors, can have a wide range of interpretations, they are often not the most reliable element to display the severity of an alert.
The numeric score for each alert can be a good solution as well, as long as the rage is 1-10 or 1-5. The range of 1-100 can work, too, but what is the real difference between 72 points vs. 77 points? The smaller ranges make it more difficult or users to interpret what the actual severity is between alerts, and as a result: can cause unclear remediation.
While numeric scoring yields less user interpretation and thus less confusion, there are negatives to just using a numeric method. Oftentimes, security products use scoring or points for other elements that not necessarily collaborate alerts, such as entity risk score so it can get confusing. Numeric scoring is difficult to act on and are often leveraged by other security solutions making it a controversial choice.
Based on my experience, this method of leveraging levels and only applying three tiers of severity seems like the simplest and frictionless way to display alerts. This type of visualization of security incidents can appear in multiple different forms, yet, be concise and clear without being open to a wide range of interpretation. The concept is taken from traffic lights meant for the everyday pedestrian and the same simple concept is application to security.
Preempt uses this method to reflect the severity of detected security incidents because we believe this is the best way for our users to understand severity quickly and accurately.
See some examples of how to show different levels of security:
How it would look like for red-blind users:
As you can see, the levels method would not open up the range of interpretation as it is still very clear which level is the most critical.
While designing its product, Preempt is dedicated to providing accessibility to all users. Severity recognition is a foundational step in cybersecurity, and making alert visualization easy for our end users is one of the ways we reduce the noise and increase efficiency.
It’s a Detailed Process to Achieve Good UI
Preempt believes that good threat detection starts with good UI, and good UI starts with careful selection of the methods of design. While the end goal is to offer the most clean, elegant, and simple concept for any user to immediately understand without a margin of interpretation, the process of getting to that point requires careful consideration each and every element. Without a thorough process of vetting each design element with different permutations and combinations, we can achieve achieve good UI. With good UI, we can enable security teams to act quickly and effectively and thus, drive better threat detection.
Read last week’s blog post:
Security Advisory: Active Directory Open to More NTLM Attacks
Posted by Shani Ofer on October 17, 2019 6:17 PM