View
777
Download
0
Category
Tags:
Preview:
DESCRIPTION
Visual analytics have been emerging in recent years to help transform cyber security data into relevant information so professionals can acquire greater insight on their security posture, respond faster, and prove compliance. Among the benefits of visualization are the ability to deal with vast amounts of security data, quickly discover patterns and anomalies, and effectively communicate issues to experts and non-experts alike. Learn how visualization is transforming the security field, what visualization tools are available today, and basic principles for successfully implementing security data visualization.
Citation preview
Visualization: TransformingHow We View Security
Anita D’Amico, Ph.D.AnitaD@SecureDecisions.avi.com
Anita D’Amico, Ph.D.
Visualization: Transforming How We View Security
I5, April 28 2008
• Secure Decisions is a division ofApplied Visions, Inc.
• We create visual aids to improvesituational awareness ofvulnerabilities and threats tocritical infrastructure
• We provide security visualizationproducts and custom solutions
• Result of over 10 years visualization R&D for militaryand civilian agencies, and commercial clients
Company Background
• Value of visualization• The psychology behind making effective
visualizations• Current uses of visualization in security lifecycle• Issues affecting how you implement security
visualizations in your enterprise
Agenda
• “Visual analytics” help security professionalsanalyze large volumes of complex security data
• Many security tools are adding some form ofvisualization, but …not all “pretty pictures” areuseful
• No single visualization is effective for all tasks andphases of the security lifecycle
• Good visualization systems are grounded inpsychological principles of situational awareness
• Good visualization systems go beyond graphics
In a Nutshell
VALUE OF VISUALIZATION
A Picture is Worth aThousand Log Files
Actionableinformation
Greaterinsight
Fasterresponsetimes
Communi-cate results
MeerCAT under development for DOD by Secure Decisions www.SecureDecisions.com
Visualizations to analyze and understand largequantities of often ambiguous or conflicting data.
Major thrust of Department ofHomeland Security’sNational Visualization andAnalytics Center
Visual Analytics
Source: Ed Blanchfield www.visualcomplexity.com
• Orient your attention to most critical information• Discover patterns, trends, and anomalies in
network data• Comprehend massive amount of data more
quickly than from text• See context (e.g. location, timing) of security
events• Makes the intangible cyber world easier to
understand and explain, especially to non-experts
Value of Visualization
Visualization Lets Us“See” Cyberspace
Source: Ed Blanchfield www.visualcomplexity.com/vc/project_details.cfm?index=17&id=268&domain=Computer%20Systems
15 minutes of log data for a class Bfirewall – No background worm traffic
The same data with backgroundworm traffic
VISUALIZATIONS BASED ONPSYCHOLOGY OF
SITUATIONAL AWARENESS
3 Stages ofSituationalAwareness
Situation AssessmentResponse Management
Perception – What’s happening rightnow?
Projection –What will happenif I do or don’ttake action?
Comprehension – What isthe relevance of what I’mseeing?
Visual Techniques to Enhance Perception• One data source at a time; e.g. only IPS alerts, or
CERT advisories, or network performance metrics• Simple 2D graphics like pie charts and line graphs• Distinctive color highlighting• Same screen set-up every time, e.g. dashboard• Simple maps and diagrams• Prioritized data
Perception
Enhancing Perception
Dashboard ofCurrent Status
Color Highlightingto Direct Attention
Map for GeneralOrientation andSpatial Context
SimpleGraphics
CA eTrust Security Command Center www.ca.com/products/
Only HighPriority Alerts
Visual Techniques to Enhance Comprehension•Multi-dimensional graphics•Visually correlate several types of data in one visualization•Multiple coordinated views•Emphasis on spatial and temporal context•Specific techniques
• Link analyses• Graphs of trends• Star trees• Parallel coordinates
Comprehension
Star Tree depictsStar Tree depictsconnections betweenconnections between
nodes of interestnodes of interest
HistogramHistogramview ofview of
same datasame data
SimultaneousSimultaneousfiltering offiltering ofmultiplemultipleviews ofviews ofdatasetdataset
Table Lens providesTable Lens providesalternative visualalternative visual
perspectiveperspective
Coordinated ViewsEnhance Comprehension
VIAssist developed for DOD and commercial use by Secure Decisions – www.SecureDecisions.com
Data TableData Table
StarTree ShowsConnection Patterns
Red dots indicatesDest IP in Morocco is
on Watch List.
StarTree from Inxight. www.inxight.com. Modified for inclusion in VIAssist – www.SecureDecisions.com
IP address of interestThicker lineindicates more
connections to US
Multi-Dimensional Graphics:Correlation of Suspicious Activity with
Time and Location
Secure Decisions SecureScope™www.SecureScope.com orwww.SecureDecisions.com
Mail Server is a mission-critical asset; therefore isshown as a larger box.
Visual Techniques to Enhance Projection• Predicted attack paths• Security data combined with organization charts• Replays of network traffic• Animation
Projection
Wall depicts required sequenceWall depicts required sequenceof mission-critical tasksof mission-critical tasks
Assets orAssets orResources NeededResources Neededfor Each Taskfor Each Task
Lines point to specific assetsLines point to specific assetsneeded to support each task.needed to support each task.
Assets are color-coded byAssets are color-coded bydegree of current availabilitydegree of current availability
Secure Decisions SecureScope – www.SecureDecisions.com
Mission-CriticalMission-CriticalTasksTasks
Predict Impact of an Attackon a Mission
VISUALIZATIONS FOR EACHPHASE OF SECURITY
LIFECYCLE
Security Lifecycle
Monitor Assess
Remediate
SecurityPolicies and
Report
Visualizations for SituationalAwareness & SecurityLifecycle
SecurityLifecyclePhases
PerceptionPerception ComprehensiComprehensionon
MONITOR
ProjectionProjection
REPORT
REMEDIATE
ASSESS
Situational Awareness StagesSituational Awareness Stages
Monitoring
Assess
Remediate
SecurityPolicies
and Report
MonitorIdentify policyviolations
Monitor alerts from IntrusionPrevention System
Identify vulnerabilities
Identify anomalousnetwork performance
Visualization forMonitoring
Guidelines for How the Viz Should Look• Standardized, simple views for rapid scanning and
comparing• Visualize primary sensor data (e.g. IPS alerts)• Simple 2D graphics, e.g. of security metrics• Big graphics that can be seen on a “Big Board”• Use color, blinking, and motion in uniform,
pre-set conditions• Distinguish old data from new
Event Dashboard
eIQ Enterprise Security Analyzer product of eIQnetworks™ – www.eiqnetworks.com
2DGraphics
Prioritized,Color-coded
Alerts
SimpleMetrics
Time
Device
Source IP
DestinationIP
Alert
Protocol
Prioritized Alerts
eIQ Enterprise Security Analyzer product of eIQnetworks™ – www.eiqnetworks.com
“Big Board” of Trouble Spots
MITRE IWViz developed for USAF www.mitre.org/work/tech_transfer/technologies/iwviz.html or www.SecureDecisions.com
Visualization forMonitoring
Guidelines for How the Visualization SystemShould Operate•Standard, regular queries to data repository
– e.g. poll data base for top 100 alerts every 15 minutes• Standard visual filters for shared display
– only show activity on pre-specified critical assets•Drill down for other data•Automatically update data being visualized atregular intervals
Assessment
Monitor
Remediate
SecurityPolicies
and Report
Assess Explore data for patterns
Analyze for suspicious activity
Analyze risks
Audit for compliance
Visualization forAssessment
Guidelines for How the Viz Should Look• Keep primary data of interest in foreground• Add secondary data (e.g. whois, CERT advisories,
location) to help interpretation of primary data• Multi-dimensional displays, often with temporal and
spatial context• Multiple coordinated views of data• Color, blinking, and motion under user control
Assess Vulnerability fromRogue Access Points
Building floor layout
Topology ofConnections
Heatmap of SignalStrength
VulnerableGroups
AirWave’s RAPIDS http://www.airwave.com/products/rapids/
Risk Analysis
RedSeal™ Security Risk Manager www.redseal.net
Visualization forAssessment
Guidelines for the Visualization System• Ad hoc data exploration tools• Keep track of path taken through data (e.g. give
cues to what has been filtered)• Specially-crafted queries to data repository• Customizable visual filters for shared display• Drill down for other data• Aggregate data at higher level of abstraction• Do not automatically update data under analysis• Retain historic data for access by visualization
Remediation
Analyze impact ofremediation
Monitor
Remediate
SecurityPolicies
and Report
Assess Modify access controls
Enforce policies
Educate
Respond to incidents
Visualization forRemediation
Guidelines for How the Viz Should Look• Link diagrams to show causality and
dependencies• Line graphs of network activity over time
– Annotated to show need for and effects of remediation• Simple graphics, e.g. frequency charts, showing
changes in security metrics– Shows need for and effects of remediation
• Uncluttered• Retain information when rendered in grey scale
Effect of Changed Asseton Other Systems
CA CMDB Change Impact Analysis – www.ca.com/us/cmdb.aspx
This changed assetis required by
Email Support
is b
usin
ess
owne
r of STL_LDAP Security
Visually-Mediated Toolfor Controlling Access
Meru Networks E(z)RF www.merunetworks.com/
Visualization forRemediation
Guidelines for the Visualization System• Role-based security access, to protect
remediation activities from general viewing• Viz system should be able to access historical
data for before and after views• Rapidly copy visualizations for insertion in
reports• Email visualizations• Print directly from visualization system
Report tomanagement
Report oncompliance
Reporting
Monitor
Remediate
SecurityPolicies
and Report
Assess
Collaboratewith experts
Visualization forReporting
Guidelines for How the Viz Should Look• Graphics and icons understandable without
explanation, e.g. line graphs, frequency charts• Annotations• Uncluttered• Layers of information that build on top of each
other, like transparencies being added• Retain information when rendered in grey scale
Management Report
OSSIM - Open Source Security Information Management - www.ossim.net
Compliance Reporting
IBM Tivoli Compliance Insight Manager www-306.ibm.com/software/tivoli/products/security-compliance-mgr/
Visualization for Reporting
Guidelines for the Visualization System• Standard PowerPoint templates that can be
automatically filled in from the viz system• Annotate and save annotations in visualizations• Direct access to historical data• Rapidly copy visualizations for insertion in reports• Email visualizations• Print directly from visualization system
HOW TO GET SECURITYVISUALIZATION
IMPLEMENTED IN YOURENTERPRISE
How to Get SecurityVisualizations
Four ways to get security visualizations• Individual security tools with integral visualizations• Security Information & Network Management
systems with integrated visualizations• General-purpose visualization tools, to customize
for security purposes• Dedicated security visualization systems
How to Get SecurityVisualizations
Benefits• Configured for easy
interpretation of specific securitydata
• Some inexpensive (open source)Drawbacks• No cross-sensor correlation• Exploratory
Single Data Source:Firewall, audit logs,IPS alerts, pcap files
Sample Products:AfterglowAirWavesRUMINTTNV
Individual security tools with integratedvisualizations
TreeMap AnalyzingFirewall Logs
TreeMap by AfterGlow – sourceforge.net/projects/afterglow or www.secviz.org/?q=node/16
TreeMap for AssessingFirewall Logs: Notional View
Each big box represents a Source IP connecting into the enterprise
Source IP 195.141.69.45 Source IP 195.143.56.25
Each big box is subdivided by the Target Ports used to connect to enterprise.
Port 20 Port 25 Port 20 Port 25 Port 53The size of theTarget boxrepresents thenumber ofconnectionsachieved.
Each Port box is subdivided into Target IPs reached by the Source IP
RUMINT Visual Analytics forPacket Data
RUMINT developed by Greg Conti www.rumint.org/
How to Get SecurityVisualizations
Benefits• Multi-source: firewalls, IDS,
applications, etc.• Multi-perspective: Gain new insight• Interactive: visualize event, drill
down, filter• Easy to Use: preloaded security
visualizationDrawbacks• Expensive: require SIM
Security Information & Network Managementsystems with integrated visualizations
Sample SIM andNMS Products:ArcSightCAeIQnetworksIBMNeuralStarIntellitacticsOSSIM
Visualizations WithinArcSight SIM
ArcSight Interactive Discovery and ArcSight ESM – www.arcsight.com
Visualizations WithinNeuralStar NMS
NeuralStar by Ai Metrix www.aimetrix.com/about_aimetrix.php
How to Get SecurityVisualizations
Benefits• Truly customized for your own needsDrawbacks• No security knowledge built in• Requires skilled software development
staff• Requires >4 months of development
time and cost of a highly skilled
General-purpose visualization tools that can becustomized
SampleProducts:
QlikView
Advizor
Inxight
Tom Sawyer
yWorks
QlikView GeneralPurpose Visual Tools
Advizor GeneralPurpose Visual Tools
How to Get SecurityVisualizations
Benefits• Configured to visualize larger quantities
of security data• Can interface to multiple sources, e.g.
firewalls, IPSs, SIMS• Designed for many different security
users from real-time analysts to securitymanagers in the same organization
Drawbacks• Some are expensive (>$4K)• Learning curve (1-2 days)
Dedicated security visualization systems
SampleProducts:
SecureScope
VIAssist
MeerCAT
VisAlert
TriGeo
TriGeo Insight™Incorporates QlikView
http://www.trigeo.com/products/insight/
Actual multi-vendor integratedvisual dashboard
Combines:
InXight Star Treeand Table Lens
Advizor Charts
Secure DecisionsVisual AnalyticFramework(VIAssist),Filters & Legends
VIAssist Visualization System
VIAssist www.SecureDecisions.com
Issues in SelectingVisualization Solutions
• Motivational Issues• Goals – Why do you want visualizations?• What questions do you want to ask of the data?
• Data Issues• Data Sources• Data Volume• Data Access
• Resource Issues• Supporting technology infrastructure• Staffing and technology expertise• Budget
Motivating Issues• Goals – Why do you want visualizations?
• Quick monitoring?• Detailed analysis?• Substantiation for compliance?• Sharing with other security professionals?• Reporting to non-experts?
• What questions do you want to ask of the data?• Am I under attack?• When did it start?• What’s the organizational impact?• Who is it, and where are they?• What technique are they using?
Data Issues• Data Sources
• One or many?• Pre-processed? e.g. alerts• Raw? e.g. packet data• Recent or historical?• Need to periodically bring in other sources? (e.g. CERT
or ISAC advisories, maps)• Data Volume
• How many GB or TB a day do you get?• Of that, what do you want to look at?
• Data Access• Central repository or does visualization need to interface
to several other systems for data?
Resource Issues
• Supporting technology infrastructure• Preferred operating system• Central or distributed monitoring• Fat client or web portal usage• Collaborative or single user
• Staffing and technology expertise• General network administrator or skilled security
analyst capable of detailed forensic analysis of data• Degree of software development expertise
• Budget
WRAP-UP
• “Visual analytics” help security professionalsanalyze large volumes of complex security data
• Many security tools are adding some form ofvisualization, but …not all “pretty pictures” areuseful
• No single visualization is effective for all tasks andphases of the security lifecycle
• Good visualization systems are grounded inpsychological principles of situational awareness
• Good visualization systems go beyond graphics
In a Nutshell
What’s Your Perspective?
Anita D’AmicoAnitaD@SecureDecisions.com
631-754-4920 ext. 147
Recommended