Successfully reported this slideshow.

Security Research2.0 - FIT 2008

1

Share

Loading in …3
×
1 of 51
1 of 51

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Security Research2.0 - FIT 2008

  1. 1. Security Research 2.0 Raffael Marty, GCIA, CISSP Chief Security Strategist @ Splunk> FIT-IT Visual Computing, Austria - September ‘08
  2. 2. Agenda • Security Visualization Today - The SecViz Dichotomy - The Failure - The Way Forward • My Focus Areas • The Future 2
  3. 3. Agenda • Security Visualization Today - The SecViz Dichotomy - The Failure Goal: - The Way Forward Provoke thought and stir up more questions than offering • My Focus Areas answers. • The Future 2
  4. 4. • Chief Security Strategist @ Splunk> • Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees • Presenting around the world on SecViz • Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
  5. 5. Raffael Marty • Chief Security Strategist @ Splunk> • Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees • Presenting around the world on SecViz • Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
  6. 6. Security Visualization Today
  7. 7. The 1st Dichotomy 5
  8. 8. The 1st Dichotomy two domains Security & Visualization 5
  9. 9. The 1st Dichotomy Security Visualization 5
  10. 10. The 1st Dichotomy Security Visualization • security data • networking protocols • routing protocols (the Internet) • security impact • security policy • jargon • use-cases • are the end-users 5
  11. 11. The 1st Dichotomy Security Visualization • security data • types of data • networking protocols • perception • routing protocols (the Internet) • optics • security impact • color theory • security policy • depth cue theory • jargon • interaction theory • use-cases • types of graphs • are the end-users • human computer interaction 5
  12. 12. The Failure - New Graphs 6
  13. 13. The Right Thing - Reuse Graphs 7
  14. 14. The Failure - The Wrong Graph 8
  15. 15. The Right Thing - Adequate Graphs 9
  16. 16. The Right Thing - Adequate Graphs 9
  17. 17. The Failure - The Wrong Integration /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Using proprietary data format <plist version="1.0"> <dict> <key>_name</key> • Provide parsers for various data formats <dict> <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> • does not scale <string>YES</string> <key>_order</key> <string>0</string> </dict> • is probably buggy / incomplete <key>bsd_name</key> <dict> <key>_order</key> <string>62</string> • Use wrong data access paradigm </dict> <key>detachable_drive</key> <dict> • complex configuration <key>_order</key> <string>59</string> </dict> e.g., needs an SSH connection <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 10
  18. 18. The Right Thing - KISS /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Keep It Simple Stupid <plist version="1.0"> <dict> <key>_name</key> <dict> • Use CSV input <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> <string>YES</string> • Use files as input <key>_order</key> <string>0</string> </dict> <key>bsd_name</key> # Using node sizes: • Offload to other tools <dict> <key>_order</key> <string>62</string> size.source=1; </dict> • parsers <key>detachable_drive</key> <dict> size.target=200 <key>_order</key> <string>59</string> maxNodeSize=0.2 • data conversions </dict> <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 11
  19. 19. The Failure - So What? 12
  20. 20. The Right Thing - Help The User Along • Provide use-case aligned displays • Meaningful legends • Interactive exploration • UI design that guides the user through tasks • Do not overload displays 13
  21. 21. The Failure - Unnecessary Ink 14
  22. 22. The Right Thing - Apply Good Visualization Practices • Don't use graphics to decorate a few numbers • Reduce data ink ratio • Visualization principles 15
  23. 23. The 2nd Dichotomy 16
  24. 24. The 2nd Dichotomy two worlds Industry & Academia 16
  25. 25. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia 16
  26. 26. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact 16
  27. 27. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution 16
  28. 28. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big 16
  29. 29. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research 16
  30. 30. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research • can’t scale 16
  31. 31. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16
  32. 32. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16
  33. 33. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16
  34. 34. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • can’t scale • work based off of a few customer’s input 16
  35. 35. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • work based off of a few customer’s input 16
  36. 36. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few customer’s input 16
  37. 37. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few • use overly complicated, impractical customer’s input solutions 16
  38. 38. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few • use overly complicated, impractical customer’s input solutions • use graphs / visualization where it is not needed 16
  39. 39. The Way Forward Two disciplines • Building a secviz discipline • Bridging the gap Security Visualization • Learning the “other” discipline Two worlds • More academia / industry collaboration • Build components / widgets / gadgets • (Re-)use existing technologies • Focus on strengths SecViz • Focus on the visualization and interaction aspects 17
  40. 40. • Use-case oriented visualization • Perimeter Threat • Governance Risk Compliance (GRC) • Insider Threat • IT data visualization • SecViz.Org • DAVIX 18
  41. 41. My Focus Areas • Use-case oriented visualization • Perimeter Threat • Governance Risk Compliance (GRC) • Insider Threat • IT data visualization • SecViz.Org • DAVIX 18
  42. 42. Insider Threat Visualization • Huge amounts of data • More and other data sources than for the traditional security use-cases - Insiders often have legitimate access to machines and data. You need to log more than the exceptions - Insider crimes are often executed on the application layer • The questions are not known in advance! - Visualization provokes questions and helps find answers • Dynamic nature of fraud - Problem for static algorithms - Bandits quickly adapt to fixed threshold-based detection systems • Looking for any unusual patterns 19
  43. 43. 20
  44. 44. 20
  45. 45. SecViz - Security Visualization This is a place to share, discuss, challenge, and learn about security visualization.
  46. 46. V D X Data Analysis and Visualization Linux davix.secviz.org
  47. 47. • Addressing the secviz dichotomy • Better industry - academia collaboration • More and better visualization tools - Use-case driven product development • We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23
  48. 48. The Future • Addressing the secviz dichotomy • Better industry - academia collaboration • More and better visualization tools - Use-case driven product development • We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23
  49. 49. Vielen Dank! S E V raffael . marty @ secviz . org C I Z

×