Visualization for Security

  • View
    3.517

  • Download
    4

  • Category

    Internet

Tags:

Preview:

Click to see full reader

DESCRIPTION

Vision is a human’s dominant sense. It is the communication channel with the highest bandwidth into the human brain. Security tools and applications need to make better use of information visualization to enhance human computer interactions and information exchange. In this talk we will explore a few basic principles of information visualization to see how they apply to cyber security. We will explore both visualization as a data presentation, as well as a data discovery tool. We will address questions like: What makes for effective visualizations? What are some core principles to follow when designing a dashboard? How do you go about visually exploring a terabyte of data? And what role do big data and data mining play in security visualization? The presentation is filled with visualizations of security data to help translate the theoretical concepts into tangible applications.

Citation preview

Raffael Marty, CEO

Visualization for Security

Blue Coat - Sunnyvale August, 2014

Secur i ty. Analyt ics . Ins ight .2

I am Raffy - I do Viz!

IBM Research

Secur i ty. Analyt ics . Ins ight .3

What is Security Visualization?

Treemap of a Firewall Log

• if found(machine)

• connect on port 135

• ping scan machines (echo requests)

Showing MS Blaster:

Secur i ty. Analyt ics . Ins ight .4

Security Visualization Can Be Beautiful

Part of Enron Email dataset

sender recipient

Secur i ty. Analyt ics . Ins ight .5

Security Visualization - Sometimes Abstract

Parallel Coordinates of an IDS log

Can you find anythinginteresting?

Secur i ty. Analyt ics . Ins ight .6

Security Visualization

One destinations isgetting hammered!

Parallel Coordinates of an IDS log

Secur i ty. Analyt ics . Ins ight .7

Security Visualization

One destinations isgetting hammered! !

Maybe a false positive?

Visualization

Secur i ty. Analyt ics . Ins ight .9

Basic Visualization Principles

How many 9’s?

Secur i ty. Analyt ics . Ins ight .10

How Many Nines?

Secur i ty. Analyt ics . Ins ight .11

What Product has Highest Profit? And Which has Worst Sales?

Secur i ty. Analyt ics . Ins ight .12

Table Charts

• The exact values are not important

• Comparisons • Highlights

Secur i ty. Analyt ics . Ins ight .13

Show Context

42

Secur i ty. Analyt ics . Ins ight .14

Show Context

42 is just a number

and means nothing without context

Secur i ty. Analyt ics . Ins ight .16

Use Numbers To Highlight Most Important Parts of Data

NumbersSummaries

Secur i ty. Analyt ics . Ins ight .17

Visualization Creates Context

Visualization Puts Numbers (Data) in Context!

Secur i ty. Analyt ics . Ins ight .18

Visualization To …

Present / Communicate Discover / Explore

Data Presentation

Secur i ty. Analyt ics . Ins ight .20

• Show  comparisons, contrasts, differences • Show  causality, mechanism, explanation, systematic

structure. • Show  multivariate data; that is, show more than 1 or 2

variables. !

by Edward Tufte

Principals of Analytic Design

Secur i ty. Analyt ics . Ins ight .21

Comparison (to Normal)

DNS Reflection • 1:100 Amplification with DNS zone transfer for ripe.net domain • 309Gbps for 28 minutes, 30956 open resolver IPs, 3 networks that allowed

spoofing, 5-7 compromised servers 

March 20, 2013

Secur i ty. Analyt ics . Ins ight .22

Causality / Explanation

Secur i ty. Analyt ics . Ins ight .23

Multi-Variate Data

Secur i ty. Analyt ics . Ins ight .24

Choosing Visualizations

Objective AudienceData

25

Charts

26

Secur i ty. Analyt ics . Ins ight .27

More Advanced Graphs

• Parallel Coordinates • Treemaps • Link Graphs • etc.

Secur i ty. Analyt ics . Ins ight .28

Additional information about objects, such as:

• machine • roles • criticality • location • owner • …

• user • roles • office location • …

Add Context

source destination

machine and user context

machine role

user role

Secur i ty. Analyt ics . Ins ight .29

Traffic Flow Analysis With Context

Secur i ty. Analyt ics . Ins ight .30

Intra-Role Anomaly - Random Order

users

time

dc(machines)

Secur i ty. Analyt ics . Ins ight .31

Add Context - User Roles

Administrator

Sales

Development

Finance

Admin???

Secur i ty. Analyt ics . Ins ight .32

http://www.scifiinterfaces.com/

• Black background • Blue or green colors • Glow

Aesthetics Matter

http://www.scifiinterfaces.com/

Dashboards

Secur i ty. Analyt ics . Ins ight .34

• Audience, audience, audience!

• Comprehensive Information (enough context)

• Highlight important data

• Use graphics when appropriate

• Good choice of graphics and design

• Aesthetically pleasing

• Enough information to decide if action is necessary

• No scrolling

• Real-time vs. batch? (Refresh-rates)

• Clear organization

Dashboard Design Principles

Secur i ty. Analyt ics . Ins ight .35

Netflix Dashboard

http://blog.fusioncharts.com/2014/04/how-netflix-plans-to-improve-its-operational-visibility-with-real-time-data-visualization/#more-7243

Secur i ty. Analyt ics . Ins ight .36

37

Data Discovery & Exploration

Secur i ty. Analyt ics . Ins ight .38

Visualize Me Lots (>1TB) of Data

Secur i ty. Analyt ics . Ins ight .39

Data Visualization Workflow

Overview Zoom / Filter Details on Demand

Principle by Ben Shneiderman

Secur i ty. Analyt ics . Ins ight .40

This visualization process requires:

• Low latency, scalable backend (columnar, distributed data store)

• Efficient client-server communications and caching

• Assistance of data mining to

• Reduce overall data to look at

• Highlight relationships, patterns, and outliers

• Assist analyst in focussing on ‘important’ areas

Backend Support

Secur i ty. Analyt ics . Ins ight .41

What I am Working On

Data Stores Analytics Forensics Models Admin

10.9.79.109 --> 3.16.204.150 10.8.24.80 --> 192.168.148.19310.8.50.85 --> 192.168.148.19310.8.48.128 --> 192.168.148.19310.9.79.6 --> 192.168.148.193

10.9.79.6

10.8.48.128

80

538.8.8.8

127.0.0.1

Anomalies

Decomposition

Data

Seasonal

Trend

Anomaly Details

“Hunt” ExplainCommunicate

Secur i ty. Analyt ics . Ins ight .42

Visualization Principles

• Use numbers to highlight most important data

• Use visualizations to put data in context

• Show comparisons, causality, and multivariate data

• To find the right visualization, focus on: Objective, Data, Audience

• Use data context to augment data and tell a story

Visualization can be used for for presentation and/or exploration

• Exploration paradigm: Overview first, zoom and filter, details on demand

Recap

43

raffael.marty@pixlcloud.com

http://slideshare.net/zrlram http://secviz.org and @secviz

Further resources:

mailto:raffy@pixlcloud.com?subject=IBM%20Visualization
http://slideshare.net/zrlram
http://secviz.org
http://twitter.com/secviz

Recommended

PolicyVis: Firewall Security Policy Visualization and ... · PolicyVis: Firewall Security Policy Visualization and Inspection Tung Tran, Ehab Al-Shaer, and Raouf Boutaba – University
Documents
Visualization Evaluation for Cyber Security: Trends and
Documents
An Advanced Security Event Visualization Method for Identifying … · 2019-05-21 · An Advanced Security Event Visualization Method for Identifying Real Cyber Attacks Jungsuk Song1,
Documents
Cyber Security Visualization
Software
3D visualization in the security control center€¦ · 3D visualization in the security control center Peter Bussens – Ken Hunter Barco. 2 Professional Education for the Security
Documents
Visualization: Transforming How We View Security
Technology
Business impact visualization for information security and
Documents
Supercharged graph visualization for cyber security
Technology
Visualizing Threats: Network Visualization for Cyber Security
Technology
Cyber Operator Perspectives on Security Visualization · 2016-08-09 · Cyber Operator Perspectives on Security Visualization Anita D‘Amico1,, Laurin Buchanan1, Drew Kirkpatrick1
Documents
Visualization and Image Processing for Cyber Securityavida.cs.wright.edu/courses/CEG7560/CEG7560_0.pdf · 2016-04-20 · • Cyber Security Visualization examples. Department of Computer
Documents
2016-Cyber-Security-Report-visualization 07 MS
Documents
PhD and Post PhD Network Security Visualization Research
Data & Analytics
The Heatmap - Why is Security Visualization so Hard?
Technology
Home-Centric Visualization of Network Traffic for Security ...infovis.cs.vt.edu/oldsite/papers/VizSec04-visual.pdffective using visualization tools that take advantage of the parallel
Documents
Ensemble Visualization For Cyber Situation Awareness of Network Security Data · 2017-05-01 · Cyber Situation Awareness of Network Security Data ... We can then apply ensemble visualization
Documents
Statistical Analysis and Visualization for Cyber Securityresearch.ihost.com/qprc_2009/papers/QPRC_Contributed_Session_5/... · Statistical Analysis and Visualization for Cyber Security
Documents
Network Security Visualization
Technology
A Visualization-based Approach to Information System Security
Documents
Security Data Visualization
Documents