SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
1.
Security Research 2.0
Raffael Marty, GCIA, CISSP
Chief Security Strategist @ Splunk>
FIT-IT Visual Computing, Austria - September ‘08
2.
Agenda
• Security Visualization Today
- The SecViz Dichotomy
- The Failure
- The Way Forward
• My Focus Areas
• The Future
2
3.
Agenda
• Security Visualization Today
- The SecViz Dichotomy
- The Failure Goal:
- The Way Forward
Provoke thought and stir up
more questions than offering
• My Focus Areas answers.
• The Future
2
4.
• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
- IBM Research
- Conference boards / committees
• Presenting around the world on SecViz
• Passion for Visualization
Applied Security Visualization
- http://secviz.org Paperback: 552 pages
Publisher: Addison Wesley (August, 2008)
- http://afterglow.sourceforge.net
ISBN: 0321510100
5.
Raffael Marty
• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
- IBM Research
- Conference boards / committees
• Presenting around the world on SecViz
• Passion for Visualization
Applied Security Visualization
- http://secviz.org Paperback: 552 pages
Publisher: Addison Wesley (August, 2008)
- http://afterglow.sourceforge.net
ISBN: 0321510100
10.
The 1st Dichotomy
Security Visualization
• security data
• networking protocols
• routing protocols (the Internet)
• security impact
• security policy
• jargon
• use-cases
• are the end-users
5
11.
The 1st Dichotomy
Security Visualization
• security data • types of data
• networking protocols • perception
• routing protocols (the Internet) • optics
• security impact • color theory
• security policy • depth cue theory
• jargon • interaction theory
• use-cases • types of graphs
• are the end-users • human computer interaction
5
20.
The Right Thing - Help The User Along
• Provide use-case aligned displays
• Meaningful legends
• Interactive exploration
• UI design that guides the user through tasks
• Do not overload displays
13
22.
The Right Thing - Apply Good Visualization Practices
• Don't use graphics to decorate a few numbers
• Reduce data ink ratio
• Visualization principles
15
24.
The 2nd Dichotomy
two worlds
Industry & Academia
16
25.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
16
26.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
16
27.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
16
28.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
16
29.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
16
30.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
16
31.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16
32.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16
33.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16
34.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research
• can’t scale
• work based off of a few
customer’s input
16
35.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale
• work based off of a few
customer’s input
16
36.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few
customer’s input
16
37.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few • use overly complicated, impractical
customer’s input solutions
16
38.
The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research • work on simulated data
• can’t scale • construct their own problems
• work based off of a few • use overly complicated, impractical
customer’s input solutions
• use graphs / visualization where it is not
needed
16
39.
The Way Forward
Two disciplines
• Building a secviz discipline
• Bridging the gap Security Visualization
• Learning the “other” discipline
Two worlds
• More academia / industry collaboration
• Build components / widgets / gadgets
• (Re-)use existing technologies
• Focus on strengths SecViz
• Focus on the visualization and interaction aspects
17
41.
My Focus Areas
• Use-case oriented visualization
• Perimeter Threat
• Governance Risk Compliance (GRC)
• Insider Threat
• IT data visualization
• SecViz.Org
• DAVIX
18
42.
Insider Threat Visualization
• Huge amounts of data
• More and other data sources than for the traditional security use-cases
- Insiders often have legitimate access to machines and data. You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
• The questions are not known in advance!
- Visualization provokes questions and helps find answers
• Dynamic nature of fraud
- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
• Looking for any unusual patterns
19
45.
SecViz - Security Visualization
This is a place to share, discuss, challenge, and learn about
security visualization.
46.
V
D X
Data Analysis and Visualization Linux
davix.secviz.org
47.
• Addressing the secviz dichotomy
• Better industry - academia collaboration
• More and better visualization tools
- Use-case driven product development
• We need to solve the data semantics problem
- Common Event Expression?
- Entity extraction?
23
48.
The Future
• Addressing the secviz dichotomy
• Better industry - academia collaboration
• More and better visualization tools
- Use-case driven product development
• We need to solve the data semantics problem
- Common Event Expression?
- Entity extraction?
23
49.
Vielen Dank!
S
E V
raffael . marty @ secviz . org
C I
Z