Security Research2.0 - FIT 2008

1. Security Research 2.0Raﬀael Marty, GCIA, CISSPChief Security Strategist @ Splunk>FIT-IT Visual Computing, Austria - September ‘08

2. Agenda• Security Visualization Today - The SecViz Dichotomy - The Failure - The Way Forward• My Focus Areas• The Future 2

3. Agenda• Security Visualization Today - The SecViz Dichotomy - The Failure Goal: - The Way Forward Provoke thought and stir up more questions than offering• My Focus Areas answers.• The Future 2

4. • Chief Security Strategist @ Splunk>• Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees• Presenting around the world on SecViz• Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100

5. Raﬀael Marty• Chief Security Strategist @ Splunk>• Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees• Presenting around the world on SecViz• Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100

6. Security Visualization Today

7. The 1st Dichotomy5

8. The 1st Dichotomy two domains Security & Visualization5

9. The 1st DichotomySecurity Visualization 5

10. The 1st DichotomySecurity Visualization• security data• networking protocols• routing protocols (the Internet)• security impact• security policy• jargon• use-cases• are the end-users 5

11. The 1st DichotomySecurity Visualization• security data • types of data• networking protocols • perception• routing protocols (the Internet) • optics• security impact • color theory• security policy • depth cue theory• jargon • interaction theory• use-cases • types of graphs• are the end-users • human computer interaction 5

12. The Failure - New Graphs6

13. The Right Thing - Reuse Graphs7

14. The Failure - The Wrong Graph8

15. The Right Thing - Adequate Graphs9

16. The Right Thing - Adequate Graphs9

17. The Failure - The Wrong Integration /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">• Using proprietary data format <plist version="1.0"> <dict> <key>_name</key>• Provide parsers for various data formats <dict> <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> • does not scale <string>YES</string> <key>_order</key> <string>0</string> </dict> • is probably buggy / incomplete <key>bsd_name</key> <dict> <key>_order</key> <string>62</string>• Use wrong data access paradigm </dict> <key>detachable_drive</key> <dict> • complex configuration <key>_order</key> <string>59</string> </dict> e.g., needs an SSH connection <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 10

18. The Right Thing - KISS /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">• Keep It Simple Stupid <plist version="1.0"> <dict> <key>_name</key> <dict>• Use CSV input <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> <string>YES</string>• Use files as input <key>_order</key> <string>0</string> </dict> <key>bsd_name</key> # Using node sizes:• Offload to other tools <dict> <key>_order</key> <string>62</string> size.source=1; </dict> • parsers <key>detachable_drive</key> <dict> size.target=200 <key>_order</key> <string>59</string> maxNodeSize=0.2 • data conversions </dict> <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 11

19. The Failure - So What?12

20. The Right Thing - Help The User Along• Provide use-case aligned displays• Meaningful legends• Interactive exploration• UI design that guides the user through tasks• Do not overload displays 13

21. The Failure - Unnecessary Ink14

22. The Right Thing - Apply Good Visualization Practices• Dont use graphics to decorate a few numbers• Reduce data ink ratio• Visualization principles 15

23. The 2nd Dichotomy16

24. The 2nd Dichotomy two worlds Industry & Academia16

25. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia 16

26. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact 16

27. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution 16

28. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big 16

29. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research 16

30. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research• can’t scale 16

31. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact• get the 70% solution• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16

32. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16

33. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big• no time/money for real research• can’t scale• work based off of a few customer’s input 16

34. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research• can’t scale• work based off of a few customer’s input 16

35. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale• work based off of a few customer’s input 16

36. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few customer’s input 16

37. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few • use overly complicated, impractical customer’s input solutions 16

38. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08Industry Academia• don’t understand the real impact • don’t know what’s been done in industry• get the 70% solution • don’t understand the use-cases• don’t think big • don’t understand the environments / data / domain• no time/money for real research • work on simulated data• can’t scale • construct their own problems• work based off of a few • use overly complicated, impractical customer’s input solutions • use graphs / visualization where it is not needed 16

39. The Way ForwardTwo disciplines• Building a secviz discipline• Bridging the gap Security Visualization• Learning the “other” disciplineTwo worlds• More academia / industry collaboration• Build components / widgets / gadgets• (Re-)use existing technologies• Focus on strengths SecViz• Focus on the visualization and interaction aspects 17

40. • Use-case oriented visualization• Perimeter Threat• Governance Risk Compliance (GRC)• Insider Threat• IT data visualization• SecViz.Org• DAVIX 18

41. My Focus Areas• Use-case oriented visualization• Perimeter Threat• Governance Risk Compliance (GRC)• Insider Threat• IT data visualization• SecViz.Org• DAVIX 18

42. Insider Threat Visualization• Huge amounts of data• More and other data sources than for the traditional security use-cases - Insiders often have legitimate access to machines and data. You need to log more than the exceptions - Insider crimes are often executed on the application layer• The questions are not known in advance! - Visualization provokes questions and helps find answers• Dynamic nature of fraud - Problem for static algorithms - Bandits quickly adapt to fixed threshold-based detection systems• Looking for any unusual patterns 19

43. 20

44. 20

45. SecViz - Security VisualizationThis is a place to share, discuss, challenge, and learn about security visualization.

46. V D XData Analysis and Visualization Linux davix.secviz.org

47. • Addressing the secviz dichotomy• Better industry - academia collaboration• More and better visualization tools - Use-case driven product development• We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23

48. The Future• Addressing the secviz dichotomy• Better industry - academia collaboration• More and better visualization tools - Use-case driven product development• We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23

49. Vielen Dank!S E V raﬀael . marty @ secviz . org C I Z

Security Research2.0 - FIT 2008

Raffael Marty

Security Research2.0 - FIT 2008