Agenda
• Security Visualization Today
- The SecViz Dichotomy
- The Failure Goal:
- The Way Forward
Provoke thought and stir up
more questions than offering
• My Focus Areas answers.
• The Future
2
• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
- IBM Research
- Conference boards / committees
• Presenting around the world on SecViz
• Passion for Visualization
Applied Security Visualization
- http://secviz.org Paperback: 552 pages
Publisher: Addison Wesley (August, 2008)
- http://afterglow.sourceforge.net
ISBN: 0321510100
Raffael Marty
• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
- IBM Research
- Conference boards / committees
• Presenting around the world on SecViz
• Passion for Visualization
Applied Security Visualization
- http://secviz.org Paperback: 552 pages
Publisher: Addison Wesley (August, 2008)
- http://afterglow.sourceforge.net
ISBN: 0321510100
The 1st Dichotomy
Security Visualization
• security data
• networking protocols
• routing protocols (the Internet)
• security impact
• security policy
• jargon
• use-cases
• are the end-users
5
The 1st Dichotomy
Security Visualization
• security data • types of data
• networking protocols • perception
• routing protocols (the Internet) • optics
• security impact • color theory
• security policy • depth cue theory
• jargon • interaction theory
• use-cases • types of graphs
• are the end-users • human computer interaction
5
The Right Thing - Help The User Along
• Provide use-case aligned displays
• Meaningful legends
• Interactive exploration
• UI design that guides the user through tasks
• Do not overload displays
13
The Right Thing - Apply Good Visualization Practices
• Don't use graphics to decorate a few numbers
• Reduce data ink ratio
• Visualization principles
15
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale
• work based off of a few
customer’s input
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few
customer’s input
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few • use overly complicated, impractical
customer’s input solutions
16
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few • use overly complicated, impractical
customer’s input solutions
• use graphs / visualization where it is not
needed
16
The Way Forward
Two disciplines
• Building a secviz discipline
• Bridging the gap Security Visualization
• Learning the “other” discipline
Two worlds
• More academia / industry collaboration
• Build components / widgets / gadgets
• (Re-)use existing technologies
• Focus on strengths SecViz
• Focus on the visualization and interaction aspects
17
My Focus Areas
• Use-case oriented visualization
• Perimeter Threat
• Governance Risk Compliance (GRC)
• Insider Threat
• IT data visualization
• SecViz.Org
• DAVIX
18
Insider Threat Visualization
• Huge amounts of data
• More and other data sources than for the traditional security use-cases
- Insiders often have legitimate access to machines and data. You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
• The questions are not known in advance!
- Visualization provokes questions and helps find answers
• Dynamic nature of fraud
- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
• Looking for any unusual patterns
19
SecViz - Security Visualization
This is a place to share, discuss, challenge, and learn about
security visualization.
V
D X
Data Analysis and Visualization Linux
davix.secviz.org
• Addressing the secviz dichotomy
• Better industry - academia collaboration
• More and better visualization tools
- Use-case driven product development
• We need to solve the data semantics problem
- Common Event Expression?
- Entity extraction?
23
The Future
• Addressing the secviz dichotomy
• Better industry - academia collaboration
• More and better visualization tools
- Use-case driven product development
• We need to solve the data semantics problem
- Common Event Expression?
- Entity extraction?
23