Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Raffael Marty, CEO
Visualization for Security
Blue Coat - Sunnyvale
August, 2014
Security. Analytics. Insight.2
I am Raffy - I do Viz!
IBM Research
Security. Analytics. Insight.3
What is Security Visualization?
Treemap of a Firewall Log
• if found(machine)
• connect on ...
Security. Analytics. Insight.4
Security Visualization Can Be Beautiful
Part of Enron Email dataset
sender recipient
Security. Analytics. Insight.5
Security Visualization - Sometimes Abstract
Parallel Coordinates of
an IDS log
Can you find ...
Security. Analytics. Insight.6
Security Visualization
One destinations is

getting hammered!
Parallel Coordinates of
an ID...
Security. Analytics. Insight.7
Security Visualization
One destinations is

getting hammered!
!
Maybe a false positive?
Visualization
Security. Analytics. Insight.9
Basic Visualization Principles
How many
9’s?
Security. Analytics. Insight.10
How Many Nines?
Security. Analytics. Insight.11
What Product has Highest Profit? And Which has Worst Sales?
Security. Analytics. Insight.12
Table Charts
• The exact
values are not
important
• Comparisons
• Highlights
Security. Analytics. Insight.13
Show Context
42
Security. Analytics. Insight.14
Show Context
42
is just a number
and means nothing without context
Security. Analytics. Insight.16
Use Numbers To Highlight Most Important Parts of Data
Numbers
Summaries
Security. Analytics. Insight.17
Visualization Creates Context
Visualization Puts Numbers
(Data) in Context!
Security. Analytics. Insight.18
Visualization To …
Present / Communicate Discover / Explore
Data Presentation
Security. Analytics. Insight.20
• Show  comparisons, contrasts, differences
• Show  causality, mechanism, explanation, sys...
Security. Analytics. Insight.21
Comparison (to Normal)
DNS Reflection
• 1:100 Amplification with DNS zone transfer for ripe....
Security. Analytics. Insight.22
Causality / Explanation
Security. Analytics. Insight.23
Multi-Variate Data
Security. Analytics. Insight.24
Choosing Visualizations
Objective AudienceData
25
Charts
26
Security. Analytics. Insight.27
More Advanced Graphs
• Parallel Coordinates
• Treemaps
• Link Graphs
• etc.
Security. Analytics. Insight.28
Additional information about
objects, such as:
• machine
• roles
• criticality
• location
...
Security. Analytics. Insight.29
Traffic Flow Analysis With Context
Security. Analytics. Insight.30
Intra-Role Anomaly - Random Order
users
time
dc(machines)
Security. Analytics. Insight.31
Add Context - User Roles
Administrator
Sales
Development
Finance
Admin???
Security. Analytics. Insight.32
http://www.scifiinterfaces.com/
• Black background
• Blue or green colors
• Glow
Aesthetics...
Dashboards
Security. Analytics. Insight.34
• Audience, audience, audience!
• Comprehensive Information (enough context)
• Highlight i...
Security. Analytics. Insight.35
Netflix Dashboard
http://blog.fusioncharts.com/2014/04/how-netflix-plans-to-improve-its-oper...
Security. Analytics. Insight.36
37
Data Discovery &
Exploration
Security. Analytics. Insight.38
Visualize Me Lots (>1TB) of Data
Security. Analytics. Insight.39
Data Visualization Workflow
Overview Zoom / Filter Details on Demand
Principle by Ben Shnei...
Security. Analytics. Insight.40
This visualization process requires:
• Low latency, scalable backend (columnar, distribute...
Security. Analytics. Insight.41
What I am Working On
Data Stores Analytics Forensics Models Admin
10.9.79.109 --> 3.16.204...
Security. Analytics. Insight.42
Visualization Principles
• Use numbers to highlight most important data
• Use visualizatio...
43
raffael.marty@pixlcloud.com
http://slideshare.net/zrlram
http://secviz.org and @secviz
Further resources:
Visualization for Security
Upcoming SlideShare
Loading in …5
×

Visualization for Security

6,793 views

Published on

Vision is a human’s dominant sense. It is the communication channel with the highest bandwidth into the human brain. Security tools and applications need to make better use of information visualization to enhance human computer interactions and information exchange.

In this talk we will explore a few basic principles of information visualization to see how they apply to cyber security. We will explore both visualization as a data presentation, as well as a data discovery tool. We will address questions like: What makes for effective visualizations? What are some core principles to follow when designing a dashboard? How do you go about visually exploring a terabyte of data? And what role do big data and data mining play in security visualization?

The presentation is filled with visualizations of security data to help translate the theoretical concepts into tangible applications.

Published in: Internet

Visualization for Security

  1. 1. Raffael Marty, CEO Visualization for Security Blue Coat - Sunnyvale August, 2014
  2. 2. Security. Analytics. Insight.2 I am Raffy - I do Viz! IBM Research
  3. 3. Security. Analytics. Insight.3 What is Security Visualization? Treemap of a Firewall Log • if found(machine) • connect on port 135 • ping scan machines (echo requests) Showing MS Blaster:
  4. 4. Security. Analytics. Insight.4 Security Visualization Can Be Beautiful Part of Enron Email dataset sender recipient
  5. 5. Security. Analytics. Insight.5 Security Visualization - Sometimes Abstract Parallel Coordinates of an IDS log Can you find anything
 interesting?
  6. 6. Security. Analytics. Insight.6 Security Visualization One destinations is
 getting hammered! Parallel Coordinates of an IDS log
  7. 7. Security. Analytics. Insight.7 Security Visualization One destinations is
 getting hammered! ! Maybe a false positive?
  8. 8. Visualization
  9. 9. Security. Analytics. Insight.9 Basic Visualization Principles How many 9’s?
  10. 10. Security. Analytics. Insight.10 How Many Nines?
  11. 11. Security. Analytics. Insight.11 What Product has Highest Profit? And Which has Worst Sales?
  12. 12. Security. Analytics. Insight.12 Table Charts • The exact values are not important • Comparisons • Highlights
  13. 13. Security. Analytics. Insight.13 Show Context 42
  14. 14. Security. Analytics. Insight.14 Show Context 42 is just a number and means nothing without context
  15. 15. Security. Analytics. Insight.16 Use Numbers To Highlight Most Important Parts of Data Numbers Summaries
  16. 16. Security. Analytics. Insight.17 Visualization Creates Context Visualization Puts Numbers (Data) in Context!
  17. 17. Security. Analytics. Insight.18 Visualization To … Present / Communicate Discover / Explore
  18. 18. Data Presentation
  19. 19. Security. Analytics. Insight.20 • Show  comparisons, contrasts, differences • Show  causality, mechanism, explanation, systematic structure. • Show  multivariate data; that is, show more than 1 or 2 variables. ! by Edward Tufte Principals of Analytic Design
  20. 20. Security. Analytics. Insight.21 Comparison (to Normal) DNS Reflection • 1:100 Amplification with DNS zone transfer for ripe.net domain • 309Gbps for 28 minutes, 30956 open resolver IPs, 3 networks that allowed spoofing, 5-7 compromised servers  March 20, 2013
  21. 21. Security. Analytics. Insight.22 Causality / Explanation
  22. 22. Security. Analytics. Insight.23 Multi-Variate Data
  23. 23. Security. Analytics. Insight.24 Choosing Visualizations Objective AudienceData
  24. 24. 25
  25. 25. Charts 26
  26. 26. Security. Analytics. Insight.27 More Advanced Graphs • Parallel Coordinates • Treemaps • Link Graphs • etc.
  27. 27. Security. Analytics. Insight.28 Additional information about objects, such as: • machine • roles • criticality • location • owner • … • user • roles • office location • … Add Context source destination machine and 
 user context machine role user role
  28. 28. Security. Analytics. Insight.29 Traffic Flow Analysis With Context
  29. 29. Security. Analytics. Insight.30 Intra-Role Anomaly - Random Order users time dc(machines)
  30. 30. Security. Analytics. Insight.31 Add Context - User Roles Administrator Sales Development Finance Admin???
  31. 31. Security. Analytics. Insight.32 http://www.scifiinterfaces.com/ • Black background • Blue or green colors • Glow Aesthetics Matter
  32. 32. Dashboards
  33. 33. Security. Analytics. Insight.34 • Audience, audience, audience! • Comprehensive Information (enough context) • Highlight important data • Use graphics when appropriate • Good choice of graphics and design • Aesthetically pleasing • Enough information to decide if action is necessary • No scrolling • Real-time vs. batch? (Refresh-rates) • Clear organization Dashboard Design Principles
  34. 34. Security. Analytics. Insight.35 Netflix Dashboard http://blog.fusioncharts.com/2014/04/how-netflix-plans-to-improve-its-operational-visibility-with-real-time-data-visualization/#more-7243
  35. 35. Security. Analytics. Insight.36
  36. 36. 37 Data Discovery & Exploration
  37. 37. Security. Analytics. Insight.38 Visualize Me Lots (>1TB) of Data
  38. 38. Security. Analytics. Insight.39 Data Visualization Workflow Overview Zoom / Filter Details on Demand Principle by Ben Shneiderman
  39. 39. Security. Analytics. Insight.40 This visualization process requires: • Low latency, scalable backend (columnar, distributed data store) • Efficient client-server communications and caching • Assistance of data mining to • Reduce overall data to look at • Highlight relationships, patterns, and outliers • Assist analyst in focussing on ‘important’ areas Backend Support
  40. 40. Security. Analytics. Insight.41 What I am Working On Data Stores Analytics Forensics Models Admin 10.9.79.109 --> 3.16.204.150 10.8.24.80 --> 192.168.148.193 10.8.50.85 --> 192.168.148.193 10.8.48.128 --> 192.168.148.193 10.9.79.6 --> 192.168.148.193 10.9.79.6 10.8.48.128 80 53 8.8.8.8 127.0.0.1 Anomalies Decomposition Data Seasonal Trend Anomaly Details “Hunt” ExplainCommunicate
  41. 41. Security. Analytics. Insight.42 Visualization Principles • Use numbers to highlight most important data • Use visualizations to put data in context • Show comparisons, causality, and multivariate data • To find the right visualization, focus on: Objective, Data, Audience • Use data context to augment data and tell a story Visualization can be used for for presentation and/or exploration • Exploration paradigm: Overview first, zoom and filter, details on demand Recap
  42. 42. 43 raffael.marty@pixlcloud.com http://slideshare.net/zrlram http://secviz.org and @secviz Further resources:

×