-
8/14/2019 Security Data Visualization
1/59
Shane
Hartman
CISSP,
GCIA,
GREMSuncoastSecuritySociety
-
8/14/2019 Security Data Visualization
2/59
DataVisualization
NetworkVisualization
Whatdoyouknow
SecurityVisualizations
CreatingaVisualizationSystem
Future
-
8/14/2019 Security Data Visualization
3/59
Themain
goal
of
data
visualization
is
to
communicateinformationclearlyandeffectively
throughgraphicalmeans
-
8/14/2019 Security Data Visualization
4/59
Withoutvisualization
we
rely
on
Tables
Lists Datasets
Emailalerts
Logfiles
-
8/14/2019 Security Data Visualization
5/59
Beenaround
sense
there
has
been
data
to
view
Everyoneisfamiliarwithgraphs
Bar,pie,
line,
etc.
-
8/14/2019 Security Data Visualization
6/59
Prettymaturearea
Lotsof
applications
in
this
area
including
InsightbyHP
SolarWinds
BigBrother
Customscripts
Mostof
these
programs
rely
on
agents
or
snmp
togathertheirinformationfordisplay
Not
all
of
them
display
visually
-
8/14/2019 Security Data Visualization
7/59
-
8/14/2019 Security Data Visualization
8/59
-
8/14/2019 Security Data Visualization
9/59
Thereis
little
to
no
applications
for
Security
Visualization
Applications
exist
but
they
are Toospecificcoveringonearea LikeIDS
Notvisual likesyslog
Donot
support
enough
different
areas
ie.
Routers,Switches,Firewalls,etc.
Where
does
this
lead.
-
8/14/2019 Security Data Visualization
10/59
Misconfiguration Failuretolockdownsystems
Fearto
make
changes
to
systems
Complacency
Exploitation Why?
-
8/14/2019 Security Data Visualization
11/59
Mostadministrators
dont
know
their
network
Hereiswhattheyknow
Installation
and
configuration
of
operating
systems Basicknowledgeofapplications
Basicknowledgeofnetworking
Basicknowledge
of
how
to
keep
things
working
ThePoint Basic,Basic,Basicknowledge
-
8/14/2019 Security Data Visualization
12/59
Intimateknowledgeofoperatingsystems,
applications,andnetworkingincluding:
Defaultconfiguration
Protocolimplementation
Hardeningstandards
Interactionwiththenetwork
Interactionwitheachother
Howdoyoudoit?
Letslookatwhatwecandonowandthengoing
forward..
-
8/14/2019 Security Data Visualization
13/59
FirewallLog
Visualization
Port/ApplicationVisualization
TrafficVisualization
IntrusionDetectionVisualization
-
8/14/2019 Security Data Visualization
14/59
Firewallsajust
routers
with
arule
base
Mostdonotprovidemuchvisualinformation
Visualinformation
is
usually
limited
to
Configurationofrules
Visuallogging
Currentactivity
-
8/14/2019 Security Data Visualization
15/59
-
8/14/2019 Security Data Visualization
16/59
-
8/14/2019 Security Data Visualization
17/59
-
8/14/2019 Security Data Visualization
18/59
Eventhough
the
system
doesnt
provide
the
informationyoucanstillgetit
Using
log
parsers
such
as
LogParser
can
allow
youtocreategraphsfromdata
-
8/14/2019 Security Data Visualization
19/59
-
8/14/2019 Security Data Visualization
20/59
-
8/14/2019 Security Data Visualization
21/59
UsesSQLlikestatementsforparsedata
1;31Dec2008;23:47:27;172.24.66.31;log;accept;;eth1c0;inboun
d;VPN1&
FireWall
1;;26;{E41F3FA2
3714
42E2
A4E0
02D2A79D7EBF};;domainudp;172.24.66.211;205.171.2.65;udp;65.127.183.98;;0;0;domai
nudp;62205;;28062;;;;;;;;;;;;;;;;;;;;;;;
logparser i:TSV iSeparator:; fixedSep:ON"selecttop20
service_id,count(*)
as
hits
into
Chart1.gif
from
2009
01
01.txtgroupbyservice_idorderbyhitsdesc"
-
8/14/2019 Security Data Visualization
22/59
Everyapplicationusesportsandprotocolsto
communicateacrossthenetwork
Manycanbeisolatedtothewellknownports
HTTP Port80
SMTP Port
25
SQL Port1433
SMB
Port
445 NetBios Port139
-
8/14/2019 Security Data Visualization
23/59
Doyou
known
what
servers
are
using
what
ports
Doyouknowwhatyouportdistributioninthe
network
is Doyouknowhowyourportdistributionhas
changedovertime
-
8/14/2019 Security Data Visualization
24/59
-
8/14/2019 Security Data Visualization
25/59
-
8/14/2019 Security Data Visualization
26/59
Arethesedistributionsnormal
DoIunderstand
why
aport
distribution
would
increaseordecreaseovertime
More/Less
servers Moreservicesperserver
Application(s)leveragingextraports
Howwere
these
graphs
created
-
8/14/2019 Security Data Visualization
27/59
Inadditiontoknowingportsinuseistraffic
patternsover
the
network
Throughpacketcapturesandvisualizationyou
can
Determinetrafficpatterns
Lockdownports
Optimizenetwork
topology
-
8/14/2019 Security Data Visualization
28/59
-
8/14/2019 Security Data Visualization
29/59
-
8/14/2019 Security Data Visualization
30/59
Arethesepatternsnormal
Isthere
anything
unusual
Isthereroomtochangeorupdatethenetwork
Howwere
these
graphs
created
-
8/14/2019 Security Data Visualization
31/59
Basedonsignaturesmuchlikevirusscanners
Onlyproducesinsightintowhatitdetects
Requiresagreatdealofmonitoringandmaintenance
Notas
many
questions
can
be
raised
because
everydetectisconsideredaproblem..
-
8/14/2019 Security Data Visualization
32/59
-
8/14/2019 Security Data Visualization
33/59
Becausemanyofsystemsareselfcontained
thereis
not
much
you
can
do
with
them
However:
Manyofthesystemswritetodatabases
Withsometimeandeffortyoucancreatea
commoninterfacewhichdisplaysadashboard
viewof
all
the
systems.
-
8/14/2019 Security Data Visualization
34/59
-
8/14/2019 Security Data Visualization
35/59
Beforewe
look
at
the
future
lets
get
acontext
of
whatwehavelearnedthroughanexample.
In
this
example
we
are
going
to
look
at
three
subjectsandhowmuchmoneyincoinstheyhave
-
8/14/2019 Security Data Visualization
36/59
Nicholashas
$2.71
in
coins
in
his
pocket.
-
8/14/2019 Security Data Visualization
37/59
-
8/14/2019 Security Data Visualization
38/59
Whatconclusionscanbedrawn
Whatcanbetheorizedaboutthesituation
Nicholashas21coinstotaling$2.71
Nicholashasmorequartersthananyother
MaybeNicholas
is
about
to
get
paid
Maybehelikesquarters
Inother
words
not
much
can
be
concluded
Toolittledata
Nothingtocompareto
Onlyassumptioncanbemade
-
8/14/2019 Security Data Visualization
39/59
Markhas$1.91incoins
Nicholashas$2.71incoins
-
8/14/2019 Security Data Visualization
40/59
-
8/14/2019 Security Data Visualization
41/59
Whatconclusionscanbedrawn
Markhasmorenickelsanddimes
Nickhasmorepenniesandquarters
Inotherwordsnotmuchcanbeconcluded
Still,too
little
data
Nobasistoconcludeanything
Only
assumption
can
be
made
-
8/14/2019 Security Data Visualization
42/59
Markhas$1.91incoins
Nicholashas$2.71incoins
Danielhas
a$1.63
in
coins
-
8/14/2019 Security Data Visualization
43/59
Still not much can be learned
- Lets add some more data / data types to the story
-
8/14/2019 Security Data Visualization
44/59
-
8/14/2019 Security Data Visualization
45/59
-
8/14/2019 Security Data Visualization
46/59
-
8/14/2019 Security Data Visualization
47/59
-
8/14/2019 Security Data Visualization
48/59
Thereismorethanonewaytolookatthedata
By
manipulating
how
data
is
displayed
you
can Getabetterunderstandingofdata
Makeassumptions
Planbetter
-
8/14/2019 Security Data Visualization
49/59
Datawillbevisualizedinwayswhere
assumptionswillinstantlybeknown
Someofthesevisualizationsarealreadythere
theyjustneedtobeappliedtonetworks
Lookto
other
areas
and
fields
to
see
what
they
aredoinglike
Social
Networks,
Psychology Medicine,Movies
Meteorology,etc.
Hereare
some
examples
-
8/14/2019 Security Data Visualization
50/59
-
8/14/2019 Security Data Visualization
51/59
-
8/14/2019 Security Data Visualization
52/59
-
8/14/2019 Security Data Visualization
53/59
-
8/14/2019 Security Data Visualization
54/59
-
8/14/2019 Security Data Visualization
55/59
-
8/14/2019 Security Data Visualization
56/59
-
8/14/2019 Security Data Visualization
57/59
-
8/14/2019 Security Data Visualization
58/59
-
8/14/2019 Security Data Visualization
59/59
Visualizationorgraphingofdataisgrowing
beyondsimple
bar
charts
Looksforpatternsbeyondwhatthedatasays
Visualizations
include Color
Size
3D
Sound*
