ThreatVectors: contextual workflows and visualizations for rapid cyber event triage

Abstract

Cyber security operations face a daily flood of security events generated by automated security tools and analytics. These events must be rapidly and accurately triaged to remove false positives and focus investigations on those presenting the greatest risks to the enterprise and requiring immediate remediation. We introduce ThreatVectors as a contextual triage workflow and event visualization tool to aid operators in event triage. ThreatVectors use a streaming event processing framework for event correlation, aggregation and prioritization based on user definable event collections and a cyber-triage domain specific language. Triage work progress is shown using a novel progress bar matrix. Event collection visualization includes abstract event thumbnails for event overview and a dynamic filtering mechanism based on metafield hierarchies. Bulk adjudication of filtered event views and event clusters is supported. User testing on large enterprise networks indicates the approach has significant potential for aiding in identifying multievent campaigns, supporting collaborative triage and reducing total time spent triaging events.