The Interactive Dashboards Component of the SPHINX Toolkit
The SPHINX system generates alerts and notifications based on a large amount of data, which the Interactive Dashboard (ID) component explores, visualizes, and analyses, to identify trends and better understand the cybersecurity aspects of the network infrastructure. Then these data visualisations are grouped in dashboards.
The main functionalities of the ID component are to;
- Display interactive graphs and trends of the data from SPHINX components, notifications, and alerts;
- Create dashboards that group together the graphs to present to the user the relevant data;
- Manage the contact information of the users responsible for cybersecurity. These users will be alerted in case of cybersecurity incidents;
- Display proposed actions, in case they exist, to specific alerts.
The Interactive Dashboard is based on Grafana, which is multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts when connected to supported data sources. The data sources can be databases (Grafana has support for a wide range of time series or relational databases) or web services. Grafana is extensible through a plug-in system. End users can create complex monitoring dashboards using interactive query builders. The Interactive Dashboards component contains all three types of the following dashboards;
- Operational dashboards, which help the user see what is happening right now
- Analytical dashboards which give the user a clear view of performance trends and potential problems
- Strategic dashboards which let the user track their main strategic goals via KPIs.
There are several best practices to consider during the creation of a dashboard; dashboards should answer a question and have a specific goal while classifying data from large to small or from general to specific. They should also aim to reduce cognitive load and be easy to interpret, containing obvious meanings. Moreover, they must avoid unnecessary dashboard refreshing to reduce the load on the network or backend, and if the data changes every hour, the dashboard refresh rate should be set to 1 hour. Other best practices include the identification of key data and making them stand out to help the user identify what is important and save time, the use of information architecture in designing the dashboard, by considering how the user’s eyes scan the page, and the use of consistent design language and colour scheme.
As concrete examples of data sources that are used by ID are PostgreSQL and Elasticsearch. For the SPHINX system, a custom plug-in was created to manage the specific requirements for the management of alerts from all SPHINX components. The SPHINX components publish their alerts to Kafka and then are imported into a PostgreSQL database that serves as a data source for the alert management plug-in. Data Traffic Monitoring component generates a large amount of data about network traffic, which is published to Elasticsearch that is optimized for the kind of grouping and summarization that are relevant for this component.
Overall, the Interactive Dashboards component supports other components in the SPHINX ecosystem, and their relationships are represented in the following image:
The ID supports ten interfaces, with the following rules:
- ID receives traffic data from Data Traffic Monitoring to display a highly user-friendly and interactive way of relevant traffic data. The users can visualise and interact with traffic statistics (graphics) and notifications and alerts about suspicious traffic data.
- ID receives cyber threats and attacks data in JSON files from Analytic Engine to display a highly user-friendly and interactive way relevant cyber threats and attacks. The users are able to visualise and act upon statistics (graphics) and notifications and alerts about cyber threats and attacks.
- ID receives detected anomalous system and user behaviour data in JSON files from Anomaly Detection to display in a highly user-friendly and interactive way relevant data on detected anomalies provided by the AD component. The users are able to visualise and act upon statistics (graphics) and notifications and alerts about the detected anomalous system and user behaviours.
- ID receives detected security information and events data from Security Information and Event Management to display in a highly user-friendly and interactive way relevant data on security information and events provided by the SIEM component. The users are able to visualise and act upon statistics (graphics) and notifications and alerts about registered security information and events.
- ID receives vulnerability assessment reports from Vulnerability Assessment as a Service to be displayed in a highly user-friendly and interactive way.
- ID receives overall cybersecurity information from Knowledge Base to display graphics about IT’s infrastructure’s overall cybersecurity information history, status, and forecast provided.
- ID receives suggested decisions and proposed courses of action and their consequences from the Decision Support System to display in a highly user-friendly and interactive way the suggested decisions and proposed courses of action and their associated consequences (impact) provided by the Decision Support System component. The users are able to visualise and act upon suggested decisions and proposed courses of action (including decisional graphics).
- ID receives a list of cybersecurity risks from Real-time Cyber Risk Assessment to display in a highly user-friendly and interactive way relevant information about the system’s security risk level (list of risks, including indices and consequences) provided by the RCRA component.
- ID receives warnings and alert notifications on forecasted from Real-time Cyber Risk Assessment to display in a highly user-friendly and interactive way relevant warnings and alerts on forecasted risks provided by the RCRA component.
- ID receives a list of detected cyber-attacks from Honeypot to display in a highly user-friendly and interactive way detected cyber-attacks provided by the HP component.
- ID receives a list of new cyber threats to display in a highly user-friendly and interactive way new cyber threats provided by the Blockchain Based Threats Registry component.
More information about the Interactive Dashboards component can be found at Deliverable 5.2 which is publicly available here.