SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
Vision is a human’s dominant sense. It is the communication channel with the highest bandwidth into the human brain. Security tools and applications need to make better use of information visualization to enhance human computer interactions and information exchange.
In this talk we will explore a few basic principles of information visualization to see how they apply to cyber security. We will explore both visualization as a data presentation, as well as a data discovery tool. We will address questions like: What makes for effective visualizations? What are some core principles to follow when designing a dashboard? How do you go about visually exploring a terabyte of data? And what role do big data and data mining play in security visualization?
The presentation is filled with visualizations of security data to help translate the theoretical concepts into tangible applications.
Vision is a human’s dominant sense. It is the communication channel with the highest bandwidth into the human brain. Security tools and applications need to make better use of information visualization to enhance human computer interactions and information exchange.
In this talk we will explore a few basic principles of information visualization to see how they apply to cyber security. We will explore both visualization as a data presentation, as well as a data discovery tool. We will address questions like: What makes for effective visualizations? What are some core principles to follow when designing a dashboard? How do you go about visually exploring a terabyte of data? And what role do big data and data mining play in security visualization?
The presentation is filled with visualizations of security data to help translate the theoretical concepts into tangible applications.
1.
Raffael Marty, CEO
Visualization for Security
Blue Coat - Sunnyvale
August, 2014
2.
Security. Analytics. Insight.2
I am Raffy - I do Viz!
IBM Research
3.
Security. Analytics. Insight.3
What is Security Visualization?
Treemap of a Firewall Log
• if found(machine)
• connect on port 135
• ping scan machines
(echo requests)
Showing MS Blaster:
4.
Security. Analytics. Insight.4
Security Visualization Can Be Beautiful
Part of Enron Email dataset
sender recipient
5.
Security. Analytics. Insight.5
Security Visualization - Sometimes Abstract
Parallel Coordinates of
an IDS log
Can you find anything
interesting?
6.
Security. Analytics. Insight.6
Security Visualization
One destinations is
getting hammered!
Parallel Coordinates of
an IDS log
7.
Security. Analytics. Insight.7
Security Visualization
One destinations is
getting hammered!
!
Maybe a false positive?
19.
Security. Analytics. Insight.20
• Show comparisons, contrasts, differences
• Show causality, mechanism, explanation, systematic
structure.
• Show multivariate data; that is, show more than 1 or 2
variables.
!
by Edward Tufte
Principals of Analytic Design
20.
Security. Analytics. Insight.21
Comparison (to Normal)
DNS Reflection
• 1:100 Amplification with DNS zone transfer for ripe.net domain
• 309Gbps for 28 minutes, 30956 open resolver IPs, 3 networks that allowed
spoofing, 5-7 compromised servers
March 20, 2013
26.
Security. Analytics. Insight.27
More Advanced Graphs
• Parallel Coordinates
• Treemaps
• Link Graphs
• etc.
27.
Security. Analytics. Insight.28
Additional information about
objects, such as:
• machine
• roles
• criticality
• location
• owner
• …
• user
• roles
• office location
• …
Add Context
source destination
machine and
user context
machine role
user role
28.
Security. Analytics. Insight.29
Traffic Flow Analysis With Context
29.
Security. Analytics. Insight.30
Intra-Role Anomaly - Random Order
users
time
dc(machines)
30.
Security. Analytics. Insight.31
Add Context - User Roles
Administrator
Sales
Development
Finance
Admin???
31.
Security. Analytics. Insight.32
http://www.scifiinterfaces.com/
• Black background
• Blue or green colors
• Glow
Aesthetics Matter
33.
Security. Analytics. Insight.34
• Audience, audience, audience!
• Comprehensive Information (enough context)
• Highlight important data
• Use graphics when appropriate
• Good choice of graphics and design
• Aesthetically pleasing
• Enough information to decide if action is necessary
• No scrolling
• Real-time vs. batch? (Refresh-rates)
• Clear organization
Dashboard Design Principles
37.
Security. Analytics. Insight.38
Visualize Me Lots (>1TB) of Data
38.
Security. Analytics. Insight.39
Data Visualization Workflow
Overview Zoom / Filter Details on Demand
Principle by Ben Shneiderman
39.
Security. Analytics. Insight.40
This visualization process requires:
• Low latency, scalable backend (columnar, distributed data store)
• Efficient client-server communications and caching
• Assistance of data mining to
• Reduce overall data to look at
• Highlight relationships, patterns, and outliers
• Assist analyst in focussing on ‘important’ areas
Backend Support
40.
Security. Analytics. Insight.41
What I am Working On
Data Stores Analytics Forensics Models Admin
10.9.79.109 --> 3.16.204.150
10.8.24.80 --> 192.168.148.193
10.8.50.85 --> 192.168.148.193
10.8.48.128 --> 192.168.148.193
10.9.79.6 --> 192.168.148.193
10.9.79.6
10.8.48.128
80
53
8.8.8.8
127.0.0.1
Anomalies
Decomposition
Data
Seasonal
Trend
Anomaly Details
“Hunt” ExplainCommunicate
41.
Security. Analytics. Insight.42
Visualization Principles
• Use numbers to highlight most important data
• Use visualizations to put data in context
• Show comparisons, causality, and multivariate data
• To find the right visualization, focus on: Objective, Data, Audience
• Use data context to augment data and tell a story
Visualization can be used for for presentation and/or exploration
• Exploration paradigm: Overview first, zoom and filter, details on demand
Recap
42.
43
raffael.marty@pixlcloud.com
http://slideshare.net/zrlram
http://secviz.org and @secviz
Further resources: