SlideShare a Scribd company logo
Security Research2.0 - FIT 2008
Security Research 2.0
Raffael Marty, GCIA, CISSP
Chief Security Strategist @ Splunk>

FIT-IT Visual Computing, Austria - September ‘08
Agenda
• Security Visualization Today
 - The SecViz Dichotomy

 - The Failure

 - The Way Forward

• My Focus Areas
• The Future


     2
Agenda
• Security Visualization Today
 - The SecViz Dichotomy

 - The Failure                               Goal:
 - The Way Forward
                                 Provoke thought and stir up
                                 more questions than offering
• My Focus Areas                          answers.

• The Future


     2
• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
 -   IBM Research
 -   Conference boards / committees

• Presenting around the world on SecViz
• Passion for Visualization
                                             Applied Security Visualization
 -   http://secviz.org                                  Paperback: 552 pages
                                              Publisher: Addison Wesley (August, 2008)
 -   http://afterglow.sourceforge.net
                                                          ISBN: 0321510100
Raffael Marty
• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
 -   IBM Research
 -   Conference boards / committees

• Presenting around the world on SecViz
• Passion for Visualization
                                             Applied Security Visualization
 -   http://secviz.org                                  Paperback: 552 pages
                                              Publisher: Addison Wesley (August, 2008)
 -   http://afterglow.sourceforge.net
                                                          ISBN: 0321510100
Security Research2.0 - FIT 2008
Security Visualization Today
The 1st Dichotomy




5
The 1st Dichotomy


         two domains
    Security & Visualization

5
The 1st Dichotomy
Security         Visualization




     5
The 1st Dichotomy
Security                             Visualization
• security data
• networking protocols
• routing protocols (the Internet)
• security impact
• security policy
• jargon
• use-cases
• are the end-users

      5
The 1st Dichotomy
Security                             Visualization
• security data                      • types of data
• networking protocols               • perception
• routing protocols (the Internet)   • optics
• security impact                    • color theory
• security policy                    • depth cue theory
• jargon                             • interaction theory
• use-cases                          • types of graphs
• are the end-users                  • human computer interaction

      5
The Failure - New Graphs




6
The Right Thing - Reuse Graphs




7
The Failure - The Wrong Graph




8
The Right Thing - Adequate Graphs




9
The Right Thing - Adequate Graphs




9
The Failure - The Wrong Integration
                                             /usr/share/man/man5/launchd.plist.5
                                             <?xml version="1.0" encoding="UTF-8"?>
                                             <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
• Using proprietary data format              <plist version="1.0">
                                             <dict>
                                                 <key>_name</key>

• Provide parsers for various data formats       <dict>
                                                      <key>_isColumn</key>
                                                      <string>YES</string>
                                                      <key>_isOutlineColumn</key>

 • does not scale                                     <string>YES</string>
                                                      <key>_order</key>
                                                      <string>0</string>
                                                 </dict>
 • is probably buggy / incomplete                <key>bsd_name</key>
                                                 <dict>
                                                      <key>_order</key>
                                                      <string>62</string>
• Use wrong data access paradigm                 </dict>
                                                 <key>detachable_drive</key>
                                                 <dict>

 • complex configuration                              <key>_order</key>
                                                      <string>59</string>
                                                 </dict>

   e.g., needs an SSH connection                 <key>device_manufacturer</key>
                                                 <dict>
                                                      <key>_order</key>
                                                      <string>41</string>
                                                 </dict>
                                                 <key>device_model</key>
                                                 <dict>
                                                      <key>_order</key>
                                                      <string>42</string>
                                                 </dict>
                                                 <key>device_revision</key>



     10
The Right Thing - KISS
                             /usr/share/man/man5/launchd.plist.5
                             <?xml version="1.0" encoding="UTF-8"?>
                             <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

• Keep It Simple Stupid      <plist version="1.0">
                             <dict>
                                 <key>_name</key>
                                 <dict>

• Use CSV input                       <key>_isColumn</key>
                                      <string>YES</string>
                                      <key>_isOutlineColumn</key>
                                      <string>YES</string>

• Use files as input                  <key>_order</key>
                                      <string>0</string>
                                 </dict>
                                 <key>bsd_name</key>
                                                                                                                                          # Using node sizes:
• Offload to other tools         <dict>
                                      <key>_order</key>
                                      <string>62</string>                                                                                 size.source=1;
                                 </dict>

 • parsers                       <key>detachable_drive</key>
                                 <dict>
                                                                                                                                          size.target=200
                                      <key>_order</key>
                                      <string>59</string>
                                                                                                                                          maxNodeSize=0.2
 • data conversions              </dict>
                                 <key>device_manufacturer</key>
                                 <dict>
                                      <key>_order</key>
                                      <string>41</string>
                                 </dict>
                                 <key>device_model</key>
                                 <dict>
                                      <key>_order</key>
                                      <string>42</string>
                                 </dict>
                                 <key>device_revision</key>




     11
The Failure - So What?




12
The Right Thing - Help The User Along
• Provide use-case aligned displays
• Meaningful legends
• Interactive exploration
• UI design that guides the user through tasks
• Do not overload displays




     13
The Failure - Unnecessary Ink




14
The Right Thing - Apply Good Visualization Practices
• Don't use graphics to decorate a few numbers
• Reduce data ink ratio
• Visualization principles




     15
The 2nd Dichotomy




16
The 2nd Dichotomy


         two worlds
     Industry & Academia

16
The 2nd Dichotomy
                               Some comments are based on paper reviews from
                                               RAID 2007/08, VizSec 2007/08
Industry         Academia




    16
The 2nd Dichotomy
                                                Some comments are based on paper reviews from
                                                                RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact




     16
The 2nd Dichotomy
                                                Some comments are based on paper reviews from
                                                                RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact
• get the 70% solution




     16
The 2nd Dichotomy
                                                Some comments are based on paper reviews from
                                                                RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big




     16
The 2nd Dichotomy
                                                Some comments are based on paper reviews from
                                                                RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research




     16
The 2nd Dichotomy
                                                Some comments are based on paper reviews from
                                                                RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale




     16
The 2nd Dichotomy
                                                Some comments are based on paper reviews from
                                                                RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
 customer’s input




     16
The 2nd Dichotomy
                                                             Some comments are based on paper reviews from
                                                                             RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact   • don’t know what’s been done in industry
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
 customer’s input




     16
The 2nd Dichotomy
                                                             Some comments are based on paper reviews from
                                                                             RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact   • don’t know what’s been done in industry
• get the 70% solution               • don’t understand the use-cases
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
 customer’s input




     16
The 2nd Dichotomy
                                                             Some comments are based on paper reviews from
                                                                             RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact   • don’t know what’s been done in industry
• get the 70% solution               • don’t understand the use-cases
• don’t think big                    • don’t understand the environments /
                                      data / domain
• no time/money for real research
• can’t scale
• work based off of a few
 customer’s input




     16
The 2nd Dichotomy
                                                                Some comments are based on paper reviews from
                                                                                RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact   • don’t know what’s been done in industry
• get the 70% solution               • don’t understand the use-cases
• don’t think big                    • don’t understand the environments /
                                       data / domain
• no time/money for real research    • work on simulated data
• can’t scale
• work based off of a few
 customer’s input




     16
The 2nd Dichotomy
                                                             Some comments are based on paper reviews from
                                                                             RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact   • don’t know what’s been done in industry
• get the 70% solution               • don’t understand the use-cases
• don’t think big                    • don’t understand the environments /
                                       data / domain
• no time/money for real research    • work on simulated data
• can’t scale                        • construct their own problems
• work based off of a few
 customer’s input




     16
The 2nd Dichotomy
                                                              Some comments are based on paper reviews from
                                                                              RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact   • don’t know what’s been done in industry
• get the 70% solution               • don’t understand the use-cases
• don’t think big                    • don’t understand the environments /
                                       data / domain
• no time/money for real research    • work on simulated data
• can’t scale                        • construct their own problems
• work based off of a few            • use overly complicated, impractical
 customer’s input                      solutions




     16
The 2nd Dichotomy
                                                                Some comments are based on paper reviews from
                                                                                RAID 2007/08, VizSec 2007/08
Industry                             Academia
• don’t understand the real impact   • don’t know what’s been done in industry
• get the 70% solution               • don’t understand the use-cases
• don’t think big                    • don’t understand the environments /
                                       data / domain
• no time/money for real research    • work on simulated data
• can’t scale                        • construct their own problems
• work based off of a few            • use overly complicated, impractical
 customer’s input                      solutions
                                     • use graphs / visualization where it is not
                                       needed

     16
The Way Forward
Two disciplines
• Building a secviz discipline
• Bridging the gap                                       Security Visualization
• Learning the “other” discipline

Two worlds
•   More academia / industry collaboration
•   Build components / widgets / gadgets
•   (Re-)use existing technologies
•   Focus on strengths                                         SecViz
•   Focus on the visualization and interaction aspects

       17
• Use-case oriented visualization
• Perimeter Threat
• Governance Risk Compliance (GRC)
• Insider Threat
• IT data visualization
• SecViz.Org
• DAVIX




     18
My Focus Areas
• Use-case oriented visualization
• Perimeter Threat
• Governance Risk Compliance (GRC)
• Insider Threat
• IT data visualization
• SecViz.Org
• DAVIX




     18
Insider Threat Visualization
• Huge amounts of data
• More and other data sources than for the traditional security use-cases
 -   Insiders often have legitimate access to machines and data. You need to log more than the
     exceptions
 -   Insider crimes are often executed on the application layer
• The questions are not known in advance!
 -   Visualization provokes questions and helps find answers
• Dynamic nature of fraud
 -   Problem for static algorithms
 -   Bandits quickly adapt to fixed threshold-based detection systems
• Looking for any unusual patterns
         19
20
20
SecViz - Security Visualization
This is a place to share, discuss, challenge, and learn about
                    security visualization.
V
          D            X
Data Analysis and Visualization Linux
          davix.secviz.org
• Addressing the secviz dichotomy
• Better industry - academia collaboration
• More and better visualization tools
 -   Use-case driven product development

• We need to solve the data semantics problem
 -   Common Event Expression?
 -   Entity extraction?




        23
The Future
• Addressing the secviz dichotomy
• Better industry - academia collaboration
• More and better visualization tools
 -   Use-case driven product development

• We need to solve the data semantics problem
 -   Common Event Expression?
 -   Entity extraction?




        23
Vielen Dank!


S
    E    V
                      raffael . marty @ secviz . org
     C       I
                 Z

More Related Content

Viewers also liked

Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
Raffael Marty
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security
Cambridge Intelligence
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
Raffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
Raffael Marty
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
Raffael Marty
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security Visualization
Doug Cogswell
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOC
James Sirota
 

Viewers also liked (11)

Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber SecurityVisualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security Visualization
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOC
 

Similar to Security Research2.0 - FIT 2008

Designing a Secure Cocoa App
Designing a Secure Cocoa AppDesigning a Secure Cocoa App
Designing a Secure Cocoa App
Graham Lee
 
DataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax: Enabling Search in your Cassandra Application with DataStax EnterpriseDataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax Academy
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
Taro Matsuzawa
 
Internal training - Eda
Internal training - EdaInternal training - Eda
Internal training - Eda
Tony Vo
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
Jonathan Levin
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
Rails Tips and Best Practices
Rails Tips and Best PracticesRails Tips and Best Practices
Rails Tips and Best Practices
David Keener
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
DLT Solutions
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
DrupalCamp Kyiv
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
iOSDevCamp 2011 - Getting "Test"-y: Test Driven Development & Automated Deplo...
iOSDevCamp 2011 - Getting "Test"-y: Test Driven Development & Automated Deplo...iOSDevCamp 2011 - Getting "Test"-y: Test Driven Development & Automated Deplo...
iOSDevCamp 2011 - Getting "Test"-y: Test Driven Development & Automated Deplo...
Rudy Jahchan
 
Cryptography and encryption and security network
Cryptography and encryption and security networkCryptography and encryption and security network
Cryptography and encryption and security network
NirajKumar620142
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
Ari Elias-Bachrach
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
Tim Plummer
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
Gábor Hojtsy
 
Data DevOps: An Overview
Data DevOps: An OverviewData DevOps: An Overview
Data DevOps: An Overview
Scott W. Ambler
 
Drupal security
Drupal securityDrupal security
Drupal security
Jozef Toth
 

Similar to Security Research2.0 - FIT 2008 (20)

Designing a Secure Cocoa App
Designing a Secure Cocoa AppDesigning a Secure Cocoa App
Designing a Secure Cocoa App
 
DataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax: Enabling Search in your Cassandra Application with DataStax EnterpriseDataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
スマートフォン勉強会@関東 #11 LT 5分で語る SQLite暗号化
 
Internal training - Eda
Internal training - EdaInternal training - Eda
Internal training - Eda
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Rails Tips and Best Practices
Rails Tips and Best PracticesRails Tips and Best Practices
Rails Tips and Best Practices
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
iOSDevCamp 2011 - Getting "Test"-y: Test Driven Development & Automated Deplo...
iOSDevCamp 2011 - Getting "Test"-y: Test Driven Development & Automated Deplo...iOSDevCamp 2011 - Getting "Test"-y: Test Driven Development & Automated Deplo...
iOSDevCamp 2011 - Getting "Test"-y: Test Driven Development & Automated Deplo...
 
Cryptography and encryption and security network
Cryptography and encryption and security networkCryptography and encryption and security network
Cryptography and encryption and security network
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
Data DevOps: An Overview
Data DevOps: An OverviewData DevOps: An Overview
Data DevOps: An Overview
 
Drupal security
Drupal securityDrupal security
Drupal security
 

More from Raffael Marty

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
Raffael Marty
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
Raffael Marty
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
Raffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
Raffael Marty
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
Raffael Marty
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
Raffael Marty
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
Raffael Marty
 

More from Raffael Marty (20)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
 

Recently uploaded

Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 

Recently uploaded (20)

Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 

Security Research2.0 - FIT 2008

  • 2. Security Research 2.0 Raffael Marty, GCIA, CISSP Chief Security Strategist @ Splunk> FIT-IT Visual Computing, Austria - September ‘08
  • 3. Agenda • Security Visualization Today - The SecViz Dichotomy - The Failure - The Way Forward • My Focus Areas • The Future 2
  • 4. Agenda • Security Visualization Today - The SecViz Dichotomy - The Failure Goal: - The Way Forward Provoke thought and stir up more questions than offering • My Focus Areas answers. • The Future 2
  • 5. • Chief Security Strategist @ Splunk> • Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees • Presenting around the world on SecViz • Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
  • 6. Raffael Marty • Chief Security Strategist @ Splunk> • Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees • Presenting around the world on SecViz • Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
  • 10. The 1st Dichotomy two domains Security & Visualization 5
  • 11. The 1st Dichotomy Security Visualization 5
  • 12. The 1st Dichotomy Security Visualization • security data • networking protocols • routing protocols (the Internet) • security impact • security policy • jargon • use-cases • are the end-users 5
  • 13. The 1st Dichotomy Security Visualization • security data • types of data • networking protocols • perception • routing protocols (the Internet) • optics • security impact • color theory • security policy • depth cue theory • jargon • interaction theory • use-cases • types of graphs • are the end-users • human computer interaction 5
  • 14. The Failure - New Graphs 6
  • 15. The Right Thing - Reuse Graphs 7
  • 16. The Failure - The Wrong Graph 8
  • 17. The Right Thing - Adequate Graphs 9
  • 18. The Right Thing - Adequate Graphs 9
  • 19. The Failure - The Wrong Integration /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Using proprietary data format <plist version="1.0"> <dict> <key>_name</key> • Provide parsers for various data formats <dict> <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> • does not scale <string>YES</string> <key>_order</key> <string>0</string> </dict> • is probably buggy / incomplete <key>bsd_name</key> <dict> <key>_order</key> <string>62</string> • Use wrong data access paradigm </dict> <key>detachable_drive</key> <dict> • complex configuration <key>_order</key> <string>59</string> </dict> e.g., needs an SSH connection <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 10
  • 20. The Right Thing - KISS /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Keep It Simple Stupid <plist version="1.0"> <dict> <key>_name</key> <dict> • Use CSV input <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> <string>YES</string> • Use files as input <key>_order</key> <string>0</string> </dict> <key>bsd_name</key> # Using node sizes: • Offload to other tools <dict> <key>_order</key> <string>62</string> size.source=1; </dict> • parsers <key>detachable_drive</key> <dict> size.target=200 <key>_order</key> <string>59</string> maxNodeSize=0.2 • data conversions </dict> <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 11
  • 21. The Failure - So What? 12
  • 22. The Right Thing - Help The User Along • Provide use-case aligned displays • Meaningful legends • Interactive exploration • UI design that guides the user through tasks • Do not overload displays 13
  • 23. The Failure - Unnecessary Ink 14
  • 24. The Right Thing - Apply Good Visualization Practices • Don't use graphics to decorate a few numbers • Reduce data ink ratio • Visualization principles 15
  • 26. The 2nd Dichotomy two worlds Industry & Academia 16
  • 27. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia 16
  • 28. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact 16
  • 29. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution 16
  • 30. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big 16
  • 31. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research 16
  • 32. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research • can’t scale 16
  • 33. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16
  • 34. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16
  • 35. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16
  • 36. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • can’t scale • work based off of a few customer’s input 16
  • 37. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • work based off of a few customer’s input 16
  • 38. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few customer’s input 16
  • 39. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few • use overly complicated, impractical customer’s input solutions 16
  • 40. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few • use overly complicated, impractical customer’s input solutions • use graphs / visualization where it is not needed 16
  • 41. The Way Forward Two disciplines • Building a secviz discipline • Bridging the gap Security Visualization • Learning the “other” discipline Two worlds • More academia / industry collaboration • Build components / widgets / gadgets • (Re-)use existing technologies • Focus on strengths SecViz • Focus on the visualization and interaction aspects 17
  • 42. • Use-case oriented visualization • Perimeter Threat • Governance Risk Compliance (GRC) • Insider Threat • IT data visualization • SecViz.Org • DAVIX 18
  • 43. My Focus Areas • Use-case oriented visualization • Perimeter Threat • Governance Risk Compliance (GRC) • Insider Threat • IT data visualization • SecViz.Org • DAVIX 18
  • 44. Insider Threat Visualization • Huge amounts of data • More and other data sources than for the traditional security use-cases - Insiders often have legitimate access to machines and data. You need to log more than the exceptions - Insider crimes are often executed on the application layer • The questions are not known in advance! - Visualization provokes questions and helps find answers • Dynamic nature of fraud - Problem for static algorithms - Bandits quickly adapt to fixed threshold-based detection systems • Looking for any unusual patterns 19
  • 45. 20
  • 46. 20
  • 47. SecViz - Security Visualization This is a place to share, discuss, challenge, and learn about security visualization.
  • 48. V D X Data Analysis and Visualization Linux davix.secviz.org
  • 49. • Addressing the secviz dichotomy • Better industry - academia collaboration • More and better visualization tools - Use-case driven product development • We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23
  • 50. The Future • Addressing the secviz dichotomy • Better industry - academia collaboration • More and better visualization tools - Use-case driven product development • We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23
  • 51. Vielen Dank! S E V raffael . marty @ secviz . org C I Z