Interesting visualization chart from clarified networks.
…the horizontal axis represents time (the beginning of March in the left, the end of June in the right) and the vertical axis represents the count of new incidents that appeared to do something nasty at that point of time. One bar is about two days, one line through the the vertical axis is about 1000 incidents. Now, when the animation starts going, you can see how unhandled incidents (red color) are detected and then turning into handled ones (grey). In the end we also show the cumulative amount of work still left at each point of time. Sort of “incident debt”, if you will.
The information conveyed looks more like a work flow queue for a service than a security illustration. What does it mean when an incident is “unhandled”? No response or no solution? Maybe that’s why they call it a “debt” — they’re representing service workloads for security but it could just as easily be any service ticket. It’s the basic difference between items completed and those still being worked on.
Also, each incident appears to have an equal value of debt, which seems unrealistic. Or maybe not all incidents are equal units. Hard to tell. Bouncing lines are a compelling animation but much more interesting would be workload relative to risk. Then workload relative to risk relative to source could be seen. In other words, where are the highest risk incidents and what percentage of resources (number of resources and length of time) do they consume (versus low risk incidents)?
Great analysis. IMHO, this is one of the major problems with “security metrics”, lack of context. In order to boil things down into numbers, you need to group them together and strip out all the individuating context … and that’s very hard to do in a way that’s still accurate and informative.
When we talked today I mentioned Wired.com’s article on Stuxnet. Here it is. Since Stuxnet has been written about endlessly in the past year with wildly varied conclusions, I’m interested to know what you think about it.