Security Research 2.0
Raffael Marty, GCIA, CISSP
Chief Security Strategist @ Splunk>
FIT-IT Visual Computing, Austria - September ‘08

Agenda
• Security Visualization Today
- The SecViz Dichotomy
- The Failure
- The Way Forward
• My Focus Areas
• The Future
2

Agenda
• Security Visualization Today
- The SecViz Dichotomy
- The Failure Goal:
- The Way Forward
Provoke thought and stir up
more questions than offering
• My Focus Areas answers.
• The Future
2

• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
- IBM Research
- Conference boards / committees
• Presenting around the world on SecViz
• Passion for Visualization
Applied Security Visualization
- http://secviz.org Paperback: 552 pages
Publisher: Addison Wesley (August, 2008)
- http://afterglow.sourceforge.net
ISBN: 0321510100

Raffael Marty
• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
- IBM Research
- Conference boards / committees
• Presenting around the world on SecViz
• Passion for Visualization
Applied Security Visualization
- http://secviz.org Paperback: 552 pages
Publisher: Addison Wesley (August, 2008)
- http://afterglow.sourceforge.net
ISBN: 0321510100

Security Visualization Today

The 1st Dichotomy
5

The 1st Dichotomy
two domains
Security & Visualization
5

The 1st Dichotomy
Security Visualization
5

The 1st Dichotomy
Security Visualization
• security data
• networking protocols
• routing protocols (the Internet)
• security impact
• security policy
• jargon
• use-cases
• are the end-users
5

The 1st Dichotomy
Security Visualization
• security data • types of data
• networking protocols • perception
• routing protocols (the Internet) • optics
• security impact • color theory
• security policy • depth cue theory
• jargon • interaction theory
• use-cases • types of graphs
• are the end-users • human computer interaction
5

The Failure - New Graphs
6

The Right Thing - Reuse Graphs
7

The Failure - The Wrong Graph
8

The Right Thing - Adequate Graphs
9

The Right Thing - Adequate Graphs
9

The Failure - The Wrong Integration
/usr/share/man/man5/launchd.plist.5
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
• Using proprietary data format <plist version="1.0">
<dict>
<key>_name</key>
• Provide parsers for various data formats <dict>
<key>_isColumn</key>
<string>YES</string>
<key>_isOutlineColumn</key>
• does not scale <string>YES</string>
<key>_order</key>
<string>0</string>
</dict>
• is probably buggy / incomplete <key>bsd_name</key>
<dict>
<key>_order</key>
<string>62</string>
• Use wrong data access paradigm </dict>
<key>detachable_drive</key>
<dict>
• complex configuration <key>_order</key>
<string>59</string>
</dict>
e.g., needs an SSH connection <key>device_manufacturer</key>
<dict>
<key>_order</key>
<string>41</string>
</dict>
<key>device_model</key>
<dict>
<key>_order</key>
<string>42</string>
</dict>
<key>device_revision</key>
10

The Right Thing - KISS
/usr/share/man/man5/launchd.plist.5
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
• Keep It Simple Stupid <plist version="1.0">
<dict>
<key>_name</key>
<dict>
• Use CSV input <key>_isColumn</key>
<string>YES</string>
<key>_isOutlineColumn</key>
<string>YES</string>
• Use files as input <key>_order</key>
<string>0</string>
</dict>
<key>bsd_name</key>
# Using node sizes:
• Offload to other tools <dict>
<key>_order</key>
<string>62</string> size.source=1;
</dict>
• parsers <key>detachable_drive</key>
<dict>
size.target=200
<key>_order</key>
<string>59</string>
maxNodeSize=0.2
• data conversions </dict>
<key>device_manufacturer</key>
<dict>
<key>_order</key>
<string>41</string>
</dict>
<key>device_model</key>
<dict>
<key>_order</key>
<string>42</string>
</dict>
<key>device_revision</key>
11

The Failure - So What?
12

The Right Thing - Help The User Along
• Provide use-case aligned displays
• Meaningful legends
• Interactive exploration
• UI design that guides the user through tasks
• Do not overload displays
13

The Failure - Unnecessary Ink
14

The Right Thing - Apply Good Visualization Practices
• Don't use graphics to decorate a few numbers
• Reduce data ink ratio
• Visualization principles
15

The 2nd Dichotomy
16

The 2nd Dichotomy
two worlds
Industry & Academia
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale
• work based off of a few
customer’s input
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few
customer’s input
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few • use overly complicated, impractical
customer’s input solutions
16

The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few • use overly complicated, impractical
customer’s input solutions
• use graphs / visualization where it is not
needed
16

The Way Forward
Two disciplines
• Building a secviz discipline
• Bridging the gap Security Visualization
• Learning the “other” discipline
Two worlds
• More academia / industry collaboration
• Build components / widgets / gadgets
• (Re-)use existing technologies
• Focus on strengths SecViz
• Focus on the visualization and interaction aspects
17

• Use-case oriented visualization
• Perimeter Threat
• Governance Risk Compliance (GRC)
• Insider Threat
• IT data visualization
• SecViz.Org
• DAVIX
18

My Focus Areas
• Use-case oriented visualization
• Perimeter Threat
• Governance Risk Compliance (GRC)
• Insider Threat
• IT data visualization
• SecViz.Org
• DAVIX
18

Insider Threat Visualization
• Huge amounts of data
• More and other data sources than for the traditional security use-cases
- Insiders often have legitimate access to machines and data. You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
• The questions are not known in advance!
- Visualization provokes questions and helps find answers
• Dynamic nature of fraud
- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
• Looking for any unusual patterns
19

20

20

SecViz - Security Visualization
This is a place to share, discuss, challenge, and learn about
security visualization.

V
D X
Data Analysis and Visualization Linux
davix.secviz.org

• Addressing the secviz dichotomy
• Better industry - academia collaboration
• More and better visualization tools
- Use-case driven product development
• We need to solve the data semantics problem
- Common Event Expression?
- Entity extraction?
23

The Future
• Addressing the secviz dichotomy
• Better industry - academia collaboration
• More and better visualization tools
- Use-case driven product development
• We need to solve the data semantics problem
- Common Event Expression?
- Entity extraction?
23

Vielen Dank!
S
E V
raffael . marty @ secviz . org
C I
Z