Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wim Remes SOURCE Boston 2011

1,685 views

Published on

Wim Remes SOURCE Boston 2011 Prezo
Among the blind, the squinter rules.
Security visualization in the field.

@wimremes on twitter
wremes-at-gmail-dot-com

Published in: Technology
  • Be the first to comment

Wim Remes SOURCE Boston 2011

  1. 1. Among the blind, the squinter rules. Security visualization in the field
  2. 2. About me Wim Remes .Ernst and Young Belgium (ITRA FSO) .Incident Response/Analysis .Security Monitoring (SIEM) .Security Management .Eurotrash podcast .InfosecMentors .Brucon @wimremes on twitter wremes-at-gmail-dot-com
  3. 3. DisclaimerThe opinions and ideasexpressed in this talkare my own and are notendorsed by anycorporate entityor church.
  4. 4. Agenda 1. please your audience 2. tools can [save|kill] your day 3. visualization hall of fail 4. tips & tricks 5. Let’s get to work
  5. 5. -1-please your audience
  6. 6. Changing the tune keeps people engagedpicture by tochis :http://www.flickr.com/photos/tochis/
  7. 7. who’s that for ? Management Technical Historical Comparative (Near) Real Time Supporting Decisions More complex & Business Objectives Facilitating the job Clear & Concise Actionable! Actionable ! 42
  8. 8. you’re the designer
  9. 9. Zen master of data visualization Edward Tufte data can be beautiful! data should be beautiful!
  10. 10. Dashboard design guru Stephen Few “The sad thing about dancing bearware is that most people are quite satisfied with the lumbering beast.” Alan Cooper, 1999, the inmates are running the asylum.
  11. 11. -2-Tools can [save|kill] your day
  12. 12. What tools can I use ? cool kids use this (not!)
  13. 13. What tools can I use ? - Desktop - Server
  14. 14. Security tools will help ... PS : export to CSV works well ... try it for a 5000+ host network ;)
  15. 15. credit where credit is due ...
  16. 16. this is going in the right direction...
  17. 17. Open source it is then ... grep sed awk perl ... http://www.secviz.org kudos to @zrlram
  18. 18. -3-visualization hall of fail
  19. 19. PIE, it’s what’s in your face
  20. 20. whoa, I take the biggest piece !
  21. 21. sometimes however, they rock ...
  22. 22. to explain simple stuff ;-)
  23. 23. “if bullet points are the obviouskillers, pie charts are shurikens”
  24. 24. Even the best can fail...
  25. 25. 3D ?
  26. 26. failing in style ...
  27. 27. playing hide and seek ?
  28. 28. we have to raise the bar or maybe not ...
  29. 29. Sometimes it’s easy ... a 21st century bar(r) chart
  30. 30. -4-tips & tricks
  31. 31. sparklines (aka datawords)
  32. 32. Infographs 5 6 7 8 9 10 11 12 13 courtesy of ZoneAlarm (by Checkpoint)
  33. 33. choose your chart wisely http://www.flickr.com/photos/amit-agarwal/3196386402/
  34. 34. Get data from external sources - osvdb.org - datalossdb.org - various industry reports - Verizon DBIR - EY GISS - Trustwave, McAfee, Symantec, ... - virustotal.com - cvedetails.com context creates clarity
  35. 35. 让我们作的更好 (let’s make things better) Vulnerabilities by Severity Level 5 3D? 4 3 2 1 0 25 50 75 100 compared to ? last year? last month?
  36. 36. Messy Dashboards (1/5)
  37. 37. Messy Dashboards (2/5) network status
  38. 38. Messy Dashboards (3/5) 1500 Events/Second 1125 750 375 0 12:00 12:10 12:20 12:30 12:40 12:50 13:00
  39. 39. Messy Dashboards (4/5) Top attackers 10.10.10.10 192.168.10.234 172.30.12.15 8.8.8.8 Top targets 172.16.12.30 172.16.12.15 172.16.12.230 172.16.12.120
  40. 40. Messy Dashboards (5/5) Local Network - Inbound bytes 4000 3000 2000 1000 0 9:00 10:00 11:00 12:00 13:00
  41. 41. server health network status Windows Unix Network1500 Events/Second Major Events1125 worms 750 portscans 375 failed logins 0 FTP 12:00 12:10 12:20 12:30 12:40 12:50 13:00 0 15 30 45 60 Top attackers Top targets 10.10.10.10 172.16.12.30 192.168.10.234 172.16.12.15 172.30.12.15 172.16.12.230 8.8.8.8 172.16.12.120 Local Network - Inbound bytes 4000 3000 2000 1000 0 9:00 10:00 11:00 12:00 13:00
  42. 42. 3,1415926535897932384626433832
  43. 43. Blink...Understand DE CN US NL US US BE Great Lakes KEYWEB TimeNet VolumeDrive EuroAccess RoadRunner ISPSYSTEM-AS Comnet AS
  44. 44. Ok, we can still say it with pie NL CN BE DE US
  45. 45. -5-let’s get to work
  46. 46. Davix | gltail ruby | real time | logs http://www.fudgie.org/ http://dataviz.com.au/blog/Visualizing_VOIP_attacks.html
  47. 47. Davix | afterglow credit: David Bernal Michelena http://www.honeynet.org/challenges/2010_5_log_mysteries
  48. 48. Burpdot http://un-excogitate.org/
  49. 49. Google Charts API http://code.google.com/apis/chart/ http://search.cpan.org/dist/URI-GoogleChart/
  50. 50. Google Visualization API
  51. 51. Google Visualization APINevada;7526;6/11/10;Theft;Network ServerTexas;600;5/29/10;Theft;Network ServerCalifornia;1000;5/25/10 and 5/26/2010;Other;PaperArizona;5893;5/15/10;Theft;LaptopKansas;1105;5/12/10;Theft;LaptopSouth Carolina;653;5/09/10;Theft;LaptopTexas;4083;5/04/10;Improper Disposal;Paper RecordsMaryland;937;5/03/10;Other;E-mailMichigan;2300;5/02/10;Theft;LaptopNew York;1020;4/30/10;Theft, Unauthorized Access;Laptop, Desktop Computer, ... http://code.google.com/apis/ajax/playground/? type=visualization#tree_map
  52. 52. jquery libraries (almost) CC BY-NC 3.0 (To the cloud !)
  53. 53. Conclusions - We need data standardization badly - Understand your data - We need to think outside the box - There’s more to visualization than pie charts - There’s tools out there: use them wisely
  54. 54. Thank you wremes@gmail.com - @wimremes

×