Security Research2.0 - FIT 2008

1. Security Research 2.0 Raﬀael Marty, GCIA, CISSP Chief Security Strategist @ Splunk> FIT-IT Visual Computing, Austria - September ‘08

2. Agenda • Security Visualization Today - The SecViz Dichotomy - The Failure - The Way Forward • My Focus Areas • The Future 2

3. Agenda • Security Visualization Today - The SecViz Dichotomy - The Failure Goal: - The Way Forward Provoke thought and stir up more questions than offering • My Focus Areas answers. • The Future 2

4. • Chief Security Strategist @ Splunk> • Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees • Presenting around the world on SecViz • Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100

5. Raﬀael Marty • Chief Security Strategist @ Splunk> • Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees • Presenting around the world on SecViz • Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100

6. Security Visualization Today

7. The 1st Dichotomy 5

8. The 1st Dichotomy two domains Security & Visualization 5

9. The 1st Dichotomy Security Visualization 5

10. The 1st Dichotomy Security Visualization • security data • networking protocols • routing protocols (the Internet) • security impact • security policy • jargon • use-cases • are the end-users 5

11. The 1st Dichotomy Security Visualization • security data • types of data • networking protocols • perception • routing protocols (the Internet) • optics • security impact • color theory • security policy • depth cue theory • jargon • interaction theory • use-cases • types of graphs • are the end-users • human computer interaction 5

12. The Failure - New Graphs 6

13. The Right Thing - Reuse Graphs 7

14. The Failure - The Wrong Graph 8

15. The Right Thing - Adequate Graphs 9

16. The Right Thing - Adequate Graphs 9

17. The Failure - The Wrong Integration /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Using proprietary data format <plist version="1.0"> <dict> <key>_name</key> • Provide parsers for various data formats <dict> <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> • does not scale <string>YES</string> <key>_order</key> <string>0</string> </dict> • is probably buggy / incomplete <key>bsd_name</key> <dict> <key>_order</key> <string>62</string> • Use wrong data access paradigm </dict> <key>detachable_drive</key> <dict> • complex configuration <key>_order</key> <string>59</string> </dict> e.g., needs an SSH connection <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 10

18. The Right Thing - KISS /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Keep It Simple Stupid <plist version="1.0"> <dict> <key>_name</key> <dict> • Use CSV input <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> <string>YES</string> • Use files as input <key>_order</key> <string>0</string> </dict> <key>bsd_name</key> # Using node sizes: • Offload to other tools <dict> <key>_order</key> <string>62</string> size.source=1; </dict> • parsers <key>detachable_drive</key> <dict> size.target=200 <key>_order</key> <string>59</string> maxNodeSize=0.2 • data conversions </dict> <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 11

19. The Failure - So What? 12

20. The Right Thing - Help The User Along • Provide use-case aligned displays • Meaningful legends • Interactive exploration • UI design that guides the user through tasks • Do not overload displays 13

21. The Failure - Unnecessary Ink 14

22. The Right Thing - Apply Good Visualization Practices • Don't use graphics to decorate a few numbers • Reduce data ink ratio • Visualization principles 15

23. The 2nd Dichotomy 16

24. The 2nd Dichotomy two worlds Industry & Academia 16

25. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia 16

26. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact 16

27. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution 16

28. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big 16

29. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research 16

30. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research • can’t scale 16

31. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • get the 70% solution • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16

32. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16

33. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • no time/money for real research • can’t scale • work based off of a few customer’s input 16

34. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • can’t scale • work based off of a few customer’s input 16

35. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • work based off of a few customer’s input 16

36. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few customer’s input 16

37. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few • use overly complicated, impractical customer’s input solutions 16

38. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases • don’t think big • don’t understand the environments / data / domain • no time/money for real research • work on simulated data • can’t scale • construct their own problems • work based off of a few • use overly complicated, impractical customer’s input solutions • use graphs / visualization where it is not needed 16

39. The Way Forward Two disciplines • Building a secviz discipline • Bridging the gap Security Visualization • Learning the “other” discipline Two worlds • More academia / industry collaboration • Build components / widgets / gadgets • (Re-)use existing technologies • Focus on strengths SecViz • Focus on the visualization and interaction aspects 17

40. • Use-case oriented visualization • Perimeter Threat • Governance Risk Compliance (GRC) • Insider Threat • IT data visualization • SecViz.Org • DAVIX 18

41. My Focus Areas • Use-case oriented visualization • Perimeter Threat • Governance Risk Compliance (GRC) • Insider Threat • IT data visualization • SecViz.Org • DAVIX 18

42. Insider Threat Visualization • Huge amounts of data • More and other data sources than for the traditional security use-cases - Insiders often have legitimate access to machines and data. You need to log more than the exceptions - Insider crimes are often executed on the application layer • The questions are not known in advance! - Visualization provokes questions and helps find answers • Dynamic nature of fraud - Problem for static algorithms - Bandits quickly adapt to fixed threshold-based detection systems • Looking for any unusual patterns 19

43. 20

44. 20

45. SecViz - Security Visualization This is a place to share, discuss, challenge, and learn about security visualization.

46. V D X Data Analysis and Visualization Linux davix.secviz.org

47. • Addressing the secviz dichotomy • Better industry - academia collaboration • More and better visualization tools - Use-case driven product development • We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23

48. The Future • Addressing the secviz dichotomy • Better industry - academia collaboration • More and better visualization tools - Use-case driven product development • We need to solve the data semantics problem - Common Event Expression? - Entity extraction? 23

49. Vielen Dank! S E V raﬀael . marty @ secviz . org C I Z

Security Research2.0 - FIT 2008

You are reading a preview.

Security Research2.0 - FIT 2008

More Related Content

Similar to Security Research2.0 - FIT 2008

More from Raffael Marty

Featured

Related Books

Related Audiobooks