Damming the flood - Monitoring streaming security event data using BlockTables

Abstract

Security Event Monitoring is a tedious job where users stare at long tables of incoming security events indicating potential threats. Most of the events, however, are false alarms and the user has to find these and dismiss them. This paper talks about design changes in a security event monitoring tool, called the ZEC (Zurich Event Console) which, based on findings in a usability study and observations of how event monitors go about their job, are meant to make them more efficient. In particular, BlockTables are designed to make the inherent structure of event data more apparent. We also describe the design of a navigation feature which allows users to navigate the event table based on the inherent block structure exposed by the BlockTables.