Security Research2.0 - FIT 2008
Upcoming SlideShare
Loading in...5
×
 

Security Research2.0 - FIT 2008

on

  • 928 views

Security Visualization Dichotomy and what's wrong with the field today.

Security Visualization Dichotomy and what's wrong with the field today.

More on security visualization at http://secviz.org

Statistics

Views

Total Views
928
Views on SlideShare
911
Embed Views
17

Actions

Likes
0
Downloads
27
Comments
0

4 Embeds 17

http://secviz.org 11
http://www.secviz.org 3
http://www.tripwire.com 2
http://a0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security Research2.0 - FIT 2008 Security Research2.0 - FIT 2008 Presentation Transcript

    • Security Research 2.0Raffael Marty, GCIA, CISSPChief Security Strategist @ Splunk>FIT-IT Visual Computing, Austria - September ‘08
    • Agenda• Security Visualization Today - The SecViz Dichotomy - The Failure - The Way Forward• My Focus Areas• The Future 2
    • Agenda• Security Visualization Today - The SecViz Dichotomy - The Failure Goal: - The Way Forward Provoke thought and stir up more questions than offering• My Focus Areas answers.• The Future 2
    • • Chief Security Strategist @ Splunk>• Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees• Presenting around the world on SecViz• Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
    • Raffael Marty• Chief Security Strategist @ Splunk>• Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees• Presenting around the world on SecViz• Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
    • Security Visualization Today
    • The 1st Dichotomy5
    • The 1st Dichotomy two domains Security & Visualization5
    • The 1st DichotomySecurity Visualization 5
    • The 1st DichotomySecurity Visualization• security data• networking protocols• routing protocols (the Internet)• security impact• security policy• jargon• use-cases• are the end-users 5
    • The 1st DichotomySecurity Visualization• security data • types of data• networking protocols • perception• routing protocols (the Internet) • optics• security impact • color theory• security policy • depth cue theory• jargon • interaction theory• use-cases • types of graphs• are the end-users • human computer interaction 5
    • The Failure - New Graphs6
    • The Right Thing - Reuse Graphs7
    • The Failure - The Wrong Graph8
    • The Right Thing - Adequate Graphs9
    • The Right Thing - Adequate Graphs9
    • The Failure - The Wrong Integration /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">• Using proprietary data format <plist version="1.0"> <dict> <key>_name</key>• Provide parsers for various data formats <dict> <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> • does not scale <string>YES</string> <key>_order</key> <string>0</string> </dict> • is probably buggy / incomplete <key>bsd_name</key> <dict> <key>_order</key> <string>62</string>• Use wrong data access paradigm </dict> <key>detachable_drive</key> <dict> • complex configuration <key>_order</key> <string>59</string> </dict> e.g., needs an SSH connection <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 10
    • The Right Thing - KISS /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">• Keep It Simple Stupid <plist version="1.0"> <dict> <key>_name</key> <dict>• Use CSV input <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> <string>YES</string>• Use files as input <key>_order</key> <string>0</string> </dict> <key>bsd_name</key> # Using node sizes:• Offload to other tools <dict> <key>_order</key> <string>62</string> size.source=1; </dict> • parsers <key>detachable_drive</key> <dict> size.target=200 <key>_order</key> <string>59</string> maxNodeSize=0.2 • data conversions </dict> <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 11
    • The Failure - So What?12
    • The Right Thing - Help The User Along• Provide use-case aligned displays• Meaningful legends• Interactive exploration• UI design that guides the user through tasks• Do not overload displays 13
    • The Failure - Unnecessary Ink14
    • The Right Thing - Apply Good Visualization Practices• Dont use graphics to decorate a few numbers• Reduce data ink ratio• Visualization principles 15
    • The 2nd Dichotomy16
    • The 2nd Dichotomy two worlds Industry & Academia16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research• can’t scale 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research• can’t scale• work based off of a few customer’s input 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale• work based off of a few customer’s input 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few customer’s input 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few • use overly complicated, impractical customer’s input solutions 16
    • The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few • use overly complicated, impractical customer’s input solutions • use graphs / visualization where it is not needed 16
    • The Way ForwardTwo disciplines• Building a secviz discipline• Bridging the gap Security Visualization• Learning the “other” disciplineTwo worlds• More academia / industry collaboration• Build components / widgets / gadgets• (Re-)use existing technologies• Focus on strengths SecViz• Focus on the visualization and interaction aspects 17
    • • Use-case oriented visualization• Perimeter Threat• Governance Risk Compliance (GRC)• Insider Threat• IT data visualization• SecViz.Org• DAVIX 18
    • My Focus Areas• Use-case oriented visualization• Perimeter Threat• Governance Risk Compliance (GRC)• Insider Threat• IT data visualization• SecViz.Org• DAVIX 18
    • Insider Threat Visualization• Huge amounts of data• More and other data sources than for the traditional security use-cases - Insiders often have legitimate access to machines and data. You need to log more than the exceptions - Insider crimes are often executed on the application layer• The questions are not known in advance! - Visualization provokes questions and helps find answers• Dynamic nature of fraud - Problem for static algorithms - Bandits quickly adapt to fixed threshold-based detection systems• Looking for any unusual patterns 19
    • 20
    • 20
    • SecViz - Security VisualizationThis is a place to share, discuss, challenge, and learn about security visualization.
    • V D XData Analysis and Visualization Linux davix.secviz.org
    • • Addressing the secviz dichotomy• Better industry - academia collaboration• More and better visualization tools - Use-case driven product development• We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23
    • The Future• Addressing the secviz dichotomy• Better industry - academia collaboration• More and better visualization tools - Use-case driven product development• We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23
    • Vielen Dank!S E V raffael . marty @ secviz . org C I Z