Visualization for Security
-
Upload
raffael-marty -
Category
Internet
-
view
3.517 -
download
4
description
Transcript of Visualization for Security
Raffael Marty, CEO
Visualization for Security
Blue Coat - Sunnyvale August, 2014
Secur i ty. Analyt ics . Ins ight .2
I am Raffy - I do Viz!
IBM Research
Secur i ty. Analyt ics . Ins ight .3
What is Security Visualization?
Treemap of a Firewall Log
• if found(machine)
• connect on port 135
• ping scan machines (echo requests)
Showing MS Blaster:
Secur i ty. Analyt ics . Ins ight .4
Security Visualization Can Be Beautiful
Part of Enron Email dataset
sender recipient
Secur i ty. Analyt ics . Ins ight .5
Security Visualization - Sometimes Abstract
Parallel Coordinates of an IDS log
Can you find anythinginteresting?
Secur i ty. Analyt ics . Ins ight .6
Security Visualization
One destinations isgetting hammered!
Parallel Coordinates of an IDS log
Secur i ty. Analyt ics . Ins ight .7
Security Visualization
One destinations isgetting hammered! !
Maybe a false positive?
Visualization
Secur i ty. Analyt ics . Ins ight .9
Basic Visualization Principles
How many 9’s?
Secur i ty. Analyt ics . Ins ight .10
How Many Nines?
Secur i ty. Analyt ics . Ins ight .11
What Product has Highest Profit? And Which has Worst Sales?
Secur i ty. Analyt ics . Ins ight .12
Table Charts
• The exact values are not important
• Comparisons • Highlights
Secur i ty. Analyt ics . Ins ight .13
Show Context
42
Secur i ty. Analyt ics . Ins ight .14
Show Context
42 is just a number
and means nothing without context
Secur i ty. Analyt ics . Ins ight .16
Use Numbers To Highlight Most Important Parts of Data
NumbersSummaries
Secur i ty. Analyt ics . Ins ight .17
Visualization Creates Context
Visualization Puts Numbers (Data) in Context!
Secur i ty. Analyt ics . Ins ight .18
Visualization To …
Present / Communicate Discover / Explore
Data Presentation
Secur i ty. Analyt ics . Ins ight .20
• Show comparisons, contrasts, differences • Show causality, mechanism, explanation, systematic
structure. • Show multivariate data; that is, show more than 1 or 2
variables. !
by Edward Tufte
Principals of Analytic Design
Secur i ty. Analyt ics . Ins ight .21
Comparison (to Normal)
DNS Reflection • 1:100 Amplification with DNS zone transfer for ripe.net domain • 309Gbps for 28 minutes, 30956 open resolver IPs, 3 networks that allowed
spoofing, 5-7 compromised servers
March 20, 2013
Secur i ty. Analyt ics . Ins ight .22
Causality / Explanation
Secur i ty. Analyt ics . Ins ight .23
Multi-Variate Data
Secur i ty. Analyt ics . Ins ight .24
Choosing Visualizations
Objective AudienceData
25
Charts
26
Secur i ty. Analyt ics . Ins ight .27
More Advanced Graphs
• Parallel Coordinates • Treemaps • Link Graphs • etc.
Secur i ty. Analyt ics . Ins ight .28
Additional information about objects, such as:
• machine • roles • criticality • location • owner • …
• user • roles • office location • …
Add Context
source destination
machine and user context
machine role
user role
Secur i ty. Analyt ics . Ins ight .29
Traffic Flow Analysis With Context
Secur i ty. Analyt ics . Ins ight .30
Intra-Role Anomaly - Random Order
users
time
dc(machines)
Secur i ty. Analyt ics . Ins ight .31
Add Context - User Roles
Administrator
Sales
Development
Finance
Admin???
Secur i ty. Analyt ics . Ins ight .32
http://www.scifiinterfaces.com/
• Black background • Blue or green colors • Glow
Aesthetics Matter
Dashboards
Secur i ty. Analyt ics . Ins ight .34
• Audience, audience, audience!
• Comprehensive Information (enough context)
• Highlight important data
• Use graphics when appropriate
• Good choice of graphics and design
• Aesthetically pleasing
• Enough information to decide if action is necessary
• No scrolling
• Real-time vs. batch? (Refresh-rates)
• Clear organization
Dashboard Design Principles
Secur i ty. Analyt ics . Ins ight .35
Netflix Dashboard
http://blog.fusioncharts.com/2014/04/how-netflix-plans-to-improve-its-operational-visibility-with-real-time-data-visualization/#more-7243
Secur i ty. Analyt ics . Ins ight .36
37
Data Discovery & Exploration
Secur i ty. Analyt ics . Ins ight .38
Visualize Me Lots (>1TB) of Data
Secur i ty. Analyt ics . Ins ight .39
Data Visualization Workflow
Overview Zoom / Filter Details on Demand
Principle by Ben Shneiderman
Secur i ty. Analyt ics . Ins ight .40
This visualization process requires:
• Low latency, scalable backend (columnar, distributed data store)
• Efficient client-server communications and caching
• Assistance of data mining to
• Reduce overall data to look at
• Highlight relationships, patterns, and outliers
• Assist analyst in focussing on ‘important’ areas
Backend Support
Secur i ty. Analyt ics . Ins ight .41
What I am Working On
Data Stores Analytics Forensics Models Admin
10.9.79.109 --> 3.16.204.150 10.8.24.80 --> 192.168.148.19310.8.50.85 --> 192.168.148.19310.8.48.128 --> 192.168.148.19310.9.79.6 --> 192.168.148.193
10.9.79.6
10.8.48.128
80
538.8.8.8
127.0.0.1
Anomalies
Decomposition
Data
Seasonal
Trend
Anomaly Details
“Hunt” ExplainCommunicate
Secur i ty. Analyt ics . Ins ight .42
Visualization Principles
• Use numbers to highlight most important data
• Use visualizations to put data in context
• Show comparisons, causality, and multivariate data
• To find the right visualization, focus on: Objective, Data, Audience
• Use data context to augment data and tell a story
Visualization can be used for for presentation and/or exploration
• Exploration paradigm: Overview first, zoom and filter, details on demand
Recap
43
http://slideshare.net/zrlram http://secviz.org and @secviz
Further resources: