Security Research2.0 - FIT 2008

1,098 views

Published on

Security Visualization Dichotomy and what's wrong with the field today.

More on security visualization at http://secviz.org

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,098
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security Research2.0 - FIT 2008

  1. 1. Security Research 2.0Raffael Marty, GCIA, CISSPChief Security Strategist @ Splunk>FIT-IT Visual Computing, Austria - September ‘08
  2. 2. Agenda• Security Visualization Today - The SecViz Dichotomy - The Failure - The Way Forward• My Focus Areas• The Future 2
  3. 3. Agenda• Security Visualization Today - The SecViz Dichotomy - The Failure Goal: - The Way Forward Provoke thought and stir up more questions than offering• My Focus Areas answers.• The Future 2
  4. 4. • Chief Security Strategist @ Splunk>• Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees• Presenting around the world on SecViz• Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
  5. 5. Raffael Marty• Chief Security Strategist @ Splunk>• Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees• Presenting around the world on SecViz• Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
  6. 6. Security Visualization Today
  7. 7. The 1st Dichotomy5
  8. 8. The 1st Dichotomy two domains Security & Visualization5
  9. 9. The 1st DichotomySecurity Visualization 5
  10. 10. The 1st DichotomySecurity Visualization• security data• networking protocols• routing protocols (the Internet)• security impact• security policy• jargon• use-cases• are the end-users 5
  11. 11. The 1st DichotomySecurity Visualization• security data • types of data• networking protocols • perception• routing protocols (the Internet) • optics• security impact • color theory• security policy • depth cue theory• jargon • interaction theory• use-cases • types of graphs• are the end-users • human computer interaction 5
  12. 12. The Failure - New Graphs6
  13. 13. The Right Thing - Reuse Graphs7
  14. 14. The Failure - The Wrong Graph8
  15. 15. The Right Thing - Adequate Graphs9
  16. 16. The Right Thing - Adequate Graphs9
  17. 17. The Failure - The Wrong Integration /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">• Using proprietary data format <plist version="1.0"> <dict> <key>_name</key>• Provide parsers for various data formats <dict> <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> • does not scale <string>YES</string> <key>_order</key> <string>0</string> </dict> • is probably buggy / incomplete <key>bsd_name</key> <dict> <key>_order</key> <string>62</string>• Use wrong data access paradigm </dict> <key>detachable_drive</key> <dict> • complex configuration <key>_order</key> <string>59</string> </dict> e.g., needs an SSH connection <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 10
  18. 18. The Right Thing - KISS /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">• Keep It Simple Stupid <plist version="1.0"> <dict> <key>_name</key> <dict>• Use CSV input <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> <string>YES</string>• Use files as input <key>_order</key> <string>0</string> </dict> <key>bsd_name</key> # Using node sizes:• Offload to other tools <dict> <key>_order</key> <string>62</string> size.source=1; </dict> • parsers <key>detachable_drive</key> <dict> size.target=200 <key>_order</key> <string>59</string> maxNodeSize=0.2 • data conversions </dict> <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 11
  19. 19. The Failure - So What?12
  20. 20. The Right Thing - Help The User Along• Provide use-case aligned displays• Meaningful legends• Interactive exploration• UI design that guides the user through tasks• Do not overload displays 13
  21. 21. The Failure - Unnecessary Ink14
  22. 22. The Right Thing - Apply Good Visualization Practices• Dont use graphics to decorate a few numbers• Reduce data ink ratio• Visualization principles 15
  23. 23. The 2nd Dichotomy16
  24. 24. The 2nd Dichotomy two worlds Industry & Academia16
  25. 25. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia 16
  26. 26. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact 16
  27. 27. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution 16
  28. 28. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big 16
  29. 29. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research 16
  30. 30. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research• can’t scale 16
  31. 31. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16
  32. 32. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16
  33. 33. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16
  34. 34. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research• can’t scale• work based off of a few customer’s input 16
  35. 35. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale• work based off of a few customer’s input 16
  36. 36. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few customer’s input 16
  37. 37. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few • use overly complicated, impractical customer’s input solutions 16
  38. 38. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few • use overly complicated, impractical customer’s input solutions • use graphs / visualization where it is not needed 16
  39. 39. The Way ForwardTwo disciplines• Building a secviz discipline• Bridging the gap Security Visualization• Learning the “other” disciplineTwo worlds• More academia / industry collaboration• Build components / widgets / gadgets• (Re-)use existing technologies• Focus on strengths SecViz• Focus on the visualization and interaction aspects 17
  40. 40. • Use-case oriented visualization• Perimeter Threat• Governance Risk Compliance (GRC)• Insider Threat• IT data visualization• SecViz.Org• DAVIX 18
  41. 41. My Focus Areas• Use-case oriented visualization• Perimeter Threat• Governance Risk Compliance (GRC)• Insider Threat• IT data visualization• SecViz.Org• DAVIX 18
  42. 42. Insider Threat Visualization• Huge amounts of data• More and other data sources than for the traditional security use-cases - Insiders often have legitimate access to machines and data. You need to log more than the exceptions - Insider crimes are often executed on the application layer• The questions are not known in advance! - Visualization provokes questions and helps find answers• Dynamic nature of fraud - Problem for static algorithms - Bandits quickly adapt to fixed threshold-based detection systems• Looking for any unusual patterns 19
  43. 43. 20
  44. 44. 20
  45. 45. SecViz - Security VisualizationThis is a place to share, discuss, challenge, and learn about security visualization.
  46. 46. V D XData Analysis and Visualization Linux davix.secviz.org
  47. 47. • Addressing the secviz dichotomy• Better industry - academia collaboration• More and better visualization tools - Use-case driven product development• We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23
  48. 48. The Future• Addressing the secviz dichotomy• Better industry - academia collaboration• More and better visualization tools - Use-case driven product development• We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23
  49. 49. Vielen Dank!S E V raffael . marty @ secviz . org C I Z

×