What makes the perfect dashboard?
It’s more important than ever before to provide security staff with the tools to enable them to be as effective as possible
The sheer volume and variety of threats security teams face means that recognising which ones are most dangerous, and need further investigation, is crucial for security operation centres that are already overstretched.
Alarm fatigue remains an issue, resulting in some genuine threats being missed, while analysts pursue others that are more obvious but represent less of a risk (false positives).
As well as putting the appropriate cybersecurity technologies and systems in place, security teams need a security dashboard that is fit for purpose – one that enables them to quickly prioritise threats to their organisation and respond to those where human intervention is needed.
So what are the key usability characteristics that allows a dashboard to work for users, irrespective of their level of experience or knowledge? Here are some pointers:
Single pane view
The ability to have all metrics and controls on a single dashboard means everything being monitored is available at a glance, without the need to toggle between screens. All information needed to make informed decisions is therefore available in one place and in a concise view.
On a car dashboard, all essential information – speed, fuel level, warning lights and satellite navigation – is available with just a slight movement of the eyes. There is no need to have a pie chart showing the number of times you’ve braked or accelerated, as that doesn’t improve your driving and would be a distraction. The same principle applies to a security dashboard: What you need to know, when you need to know it, where you need to see it.
A threat dashboard should include comparative elements to show how things have changed over time. For example, whether the number of threats dealt with in a month is higher or lower than usual, and then look into why that might be e.g. a new vulnerability or changes to the systems used.
Using ratios is also useful. For example, the volume of threat traffic coming from a particular source or location as a ratio of overall traffic could quickly show evidence of a new threat actor. Or a dashboard could show the number of false positives as a ratio of total observations, showing the reliability of detection.
By being understandable, a dashboard can be used by different analysts, regardless of their level of experience or seniority, so that they can react appropriately to the metrics shown. Or if an individual working in a different part of the business wants to understand what the security team is dealing with, it’s useful for them to also understand what is in front of them.
Appropriate visualisations showing relevant information clearly communicates what’s being shown to prompt the appropriate response from the viewer. For example, rather than a pie chart showing threat sources, a series of tiles, showing figures for each source, provides a quicker route to understanding the metrics being measured.
Customisable and relevant
Making the information relevant to each security analyst is another key element of creating an effective dashboard. With different team members having different roles and responsibilities, each one will need a slightly different set of metrics on their dashboard.
The CISO, for example, would need complete visibility of what the security team is dealing with, to lead efforts to improve the effectiveness of the security team, benchmark the organisation against others, and ensure threat intelligence is shared. A security analyst, in contrast, needs the metrics to investigate and respond to security incidents.
Able to influence behaviour
As a dashboard is intended to help security analysts make quicker decisions, it should include information that changes the behaviour of security staff.
For example, suppose the CISO determines that the security team needs to be more proactive, identifying and blocking threats directly, rather than responding to active campaigns. By configuring the dashboard to allow staff to block indicators associated to specific intelligence, a CISO can track how many indicators are being deployed based on the type of intelligence. This will help determine whether analysts are being more proactive.