Visualization for Security

1. Raffael Marty, CEO Visualization for Security Blue Coat - Sunnyvale August, 2014

2. Security. Analytics. Insight.2 I am Raﬀy - I do Viz! IBM Research

3. Security. Analytics. Insight.3 What is Security Visualization? Treemap of a Firewall Log • if found(machine) • connect on port 135 • ping scan machines (echo requests) Showing MS Blaster:

4. Security. Analytics. Insight.4 Security Visualization Can Be Beautiful Part of Enron Email dataset sender recipient

5. Security. Analytics. Insight.5 Security Visualization - Sometimes Abstract Parallel Coordinates of an IDS log Can you ﬁnd anything  interesting?

6. Security. Analytics. Insight.6 Security Visualization One destinations is  getting hammered! Parallel Coordinates of an IDS log

7. Security. Analytics. Insight.7 Security Visualization One destinations is  getting hammered! ! Maybe a false positive?

8. Visualization

9. Security. Analytics. Insight.9 Basic Visualization Principles How many 9’s?

10. Security. Analytics. Insight.10 How Many Nines?

11. Security. Analytics. Insight.11 What Product has Highest Proﬁt? And Which has Worst Sales?

12. Security. Analytics. Insight.12 Table Charts • The exact values are not important • Comparisons • Highlights

13. Security. Analytics. Insight.13 Show Context 42

14. Security. Analytics. Insight.14 Show Context 42 is just a number and means nothing without context

16. Security. Analytics. Insight.16 Use Numbers To Highlight Most Important Parts of Data Numbers Summaries

17. Security. Analytics. Insight.17 Visualization Creates Context Visualization Puts Numbers (Data) in Context!

18. Security. Analytics. Insight.18 Visualization To … Present / Communicate Discover / Explore

19. Data Presentation

20. Security. Analytics. Insight.20 • Show comparisons, contrasts, differences • Show causality, mechanism, explanation, systematic structure. • Show multivariate data; that is, show more than 1 or 2 variables. ! by Edward Tufte Principals of Analytic Design

21. Security. Analytics. Insight.21 Comparison (to Normal) DNS Reflection • 1:100 Amplification with DNS zone transfer for ripe.net domain • 309Gbps for 28 minutes, 30956 open resolver IPs, 3 networks that allowed spoofing, 5-7 compromised servers March 20, 2013

22. Security. Analytics. Insight.22 Causality / Explanation

23. Security. Analytics. Insight.23 Multi-Variate Data

24. Security. Analytics. Insight.24 Choosing Visualizations Objective AudienceData

25. 25

26. Charts 26

27. Security. Analytics. Insight.27 More Advanced Graphs • Parallel Coordinates • Treemaps • Link Graphs • etc.

28. Security. Analytics. Insight.28 Additional information about objects, such as: • machine • roles • criticality • location • owner • … • user • roles • ofﬁce location • … Add Context source destination machine and   user context machine role user role

29. Security. Analytics. Insight.29 Traﬃc Flow Analysis With Context

30. Security. Analytics. Insight.30 Intra-Role Anomaly - Random Order users time dc(machines)

31. Security. Analytics. Insight.31 Add Context - User Roles Administrator Sales Development Finance Admin???

32. Security. Analytics. Insight.32 http://www.sciﬁinterfaces.com/ • Black background • Blue or green colors • Glow Aesthetics Matter

33. Dashboards

34. Security. Analytics. Insight.34 • Audience, audience, audience! • Comprehensive Information (enough context) • Highlight important data • Use graphics when appropriate • Good choice of graphics and design • Aesthetically pleasing • Enough information to decide if action is necessary • No scrolling • Real-time vs. batch? (Refresh-rates) • Clear organization Dashboard Design Principles

35. Security. Analytics. Insight.35 Netﬂix Dashboard http://blog.fusioncharts.com/2014/04/how-netﬂix-plans-to-improve-its-operational-visibility-with-real-time-data-visualization/#more-7243

36. Security. Analytics. Insight.36

37. 37 Data Discovery & Exploration

38. Security. Analytics. Insight.38 Visualize Me Lots (>1TB) of Data

39. Security. Analytics. Insight.39 Data Visualization Workﬂow Overview Zoom / Filter Details on Demand Principle by Ben Shneiderman

40. Security. Analytics. Insight.40 This visualization process requires: • Low latency, scalable backend (columnar, distributed data store) • Efficient client-server communications and caching • Assistance of data mining to • Reduce overall data to look at • Highlight relationships, patterns, and outliers • Assist analyst in focussing on ‘important’ areas Backend Support

41. Security. Analytics. Insight.41 What I am Working On Data Stores Analytics Forensics Models Admin 10.9.79.109 --> 3.16.204.150 10.8.24.80 --> 192.168.148.193 10.8.50.85 --> 192.168.148.193 10.8.48.128 --> 192.168.148.193 10.9.79.6 --> 192.168.148.193 10.9.79.6 10.8.48.128 80 53 8.8.8.8 127.0.0.1 Anomalies Decomposition Data Seasonal Trend Anomaly Details “Hunt” ExplainCommunicate

42. Security. Analytics. Insight.42 Visualization Principles • Use numbers to highlight most important data • Use visualizations to put data in context • Show comparisons, causality, and multivariate data • To find the right visualization, focus on: Objective, Data, Audience • Use data context to augment data and tell a story Visualization can be used for for presentation and/or exploration • Exploration paradigm: Overview first, zoom and filter, details on demand Recap

43. 43 raffael.marty@pixlcloud.com http://slideshare.net/zrlram http://secviz.org and @secviz Further resources:

Visualization for Security

Visualization for Security

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Visualization for Security

Similar to Visualization for Security(20)

More from Raffael Marty

More from Raffael Marty(20)

Recently uploaded

Recently uploaded(16)

Visualization for Security