Download pdf - Visualization for Security

Transcript
Page 1: Visualization for Security

Raffael Marty, CEO

Visualization for Security

Blue Coat - Sunnyvale August, 2014

Page 2: Visualization for Security

Secur i ty. Analyt ics . Ins ight .2

I am Raffy - I do Viz!

IBM Research

Page 3: Visualization for Security

Secur i ty. Analyt ics . Ins ight .3

What is Security Visualization?

Treemap of a Firewall Log

• if found(machine)

• connect on port 135

• ping scan machines (echo requests)

Showing MS Blaster:

Page 4: Visualization for Security

Secur i ty. Analyt ics . Ins ight .4

Security Visualization Can Be Beautiful

Part of Enron Email dataset

sender recipient

Page 5: Visualization for Security

Secur i ty. Analyt ics . Ins ight .5

Security Visualization - Sometimes Abstract

Parallel Coordinates of an IDS log

Can you find anythinginteresting?

Page 6: Visualization for Security

Secur i ty. Analyt ics . Ins ight .6

Security Visualization

One destinations isgetting hammered!

Parallel Coordinates of an IDS log

Page 7: Visualization for Security

Secur i ty. Analyt ics . Ins ight .7

Security Visualization

One destinations isgetting hammered! !

Maybe a false positive?

Page 8: Visualization for Security

Visualization

Page 9: Visualization for Security

Secur i ty. Analyt ics . Ins ight .9

Basic Visualization Principles

How many 9’s?

Page 10: Visualization for Security

Secur i ty. Analyt ics . Ins ight .10

How Many Nines?

Page 11: Visualization for Security

Secur i ty. Analyt ics . Ins ight .11

What Product has Highest Profit? And Which has Worst Sales?

Page 12: Visualization for Security

Secur i ty. Analyt ics . Ins ight .12

Table Charts

• The exact values are not important

• Comparisons • Highlights

Page 13: Visualization for Security

Secur i ty. Analyt ics . Ins ight .13

Show Context

42

Page 14: Visualization for Security

Secur i ty. Analyt ics . Ins ight .14

Show Context

42 is just a number

and means nothing without context

Page 15: Visualization for Security
Page 16: Visualization for Security

Secur i ty. Analyt ics . Ins ight .16

Use Numbers To Highlight Most Important Parts of Data

NumbersSummaries

Page 17: Visualization for Security

Secur i ty. Analyt ics . Ins ight .17

Visualization Creates Context

Visualization Puts Numbers (Data) in Context!

Page 18: Visualization for Security

Secur i ty. Analyt ics . Ins ight .18

Visualization To …

Present / Communicate Discover / Explore

Page 19: Visualization for Security

Data Presentation

Page 20: Visualization for Security

Secur i ty. Analyt ics . Ins ight .20

• Show  comparisons, contrasts, differences • Show  causality, mechanism, explanation, systematic

structure. • Show  multivariate data; that is, show more than 1 or 2

variables. !

by Edward Tufte

Principals of Analytic Design

Page 21: Visualization for Security

Secur i ty. Analyt ics . Ins ight .21

Comparison (to Normal)

DNS Reflection • 1:100 Amplification with DNS zone transfer for ripe.net domain • 309Gbps for 28 minutes, 30956 open resolver IPs, 3 networks that allowed

spoofing, 5-7 compromised servers 

March 20, 2013

Page 22: Visualization for Security

Secur i ty. Analyt ics . Ins ight .22

Causality / Explanation

Page 23: Visualization for Security

Secur i ty. Analyt ics . Ins ight .23

Multi-Variate Data

Page 24: Visualization for Security

Secur i ty. Analyt ics . Ins ight .24

Choosing Visualizations

Objective AudienceData

Page 25: Visualization for Security

25

Page 26: Visualization for Security

Charts

26

Page 27: Visualization for Security

Secur i ty. Analyt ics . Ins ight .27

More Advanced Graphs

• Parallel Coordinates • Treemaps • Link Graphs • etc.

Page 28: Visualization for Security

Secur i ty. Analyt ics . Ins ight .28

Additional information about objects, such as:

• machine • roles • criticality • location • owner • …

• user • roles • office location • …

Add Context

source destination

machine and user context

machine role

user role

Page 29: Visualization for Security

Secur i ty. Analyt ics . Ins ight .29

Traffic Flow Analysis With Context

Page 30: Visualization for Security

Secur i ty. Analyt ics . Ins ight .30

Intra-Role Anomaly - Random Order

users

time

dc(machines)

Page 31: Visualization for Security

Secur i ty. Analyt ics . Ins ight .31

Add Context - User Roles

Administrator

Sales

Development

Finance

Admin???

Page 32: Visualization for Security

Secur i ty. Analyt ics . Ins ight .32

http://www.scifiinterfaces.com/

• Black background • Blue or green colors • Glow

Aesthetics Matter

http://www.scifiinterfaces.com/
Page 33: Visualization for Security

Dashboards

Page 34: Visualization for Security

Secur i ty. Analyt ics . Ins ight .34

• Audience, audience, audience!

• Comprehensive Information (enough context)

• Highlight important data

• Use graphics when appropriate

• Good choice of graphics and design

• Aesthetically pleasing

• Enough information to decide if action is necessary

• No scrolling

• Real-time vs. batch? (Refresh-rates)

• Clear organization

Dashboard Design Principles

Page 35: Visualization for Security

Secur i ty. Analyt ics . Ins ight .35

Netflix Dashboard

http://blog.fusioncharts.com/2014/04/how-netflix-plans-to-improve-its-operational-visibility-with-real-time-data-visualization/#more-7243

Page 36: Visualization for Security

Secur i ty. Analyt ics . Ins ight .36

Page 37: Visualization for Security

37

Data Discovery & Exploration

Page 38: Visualization for Security

Secur i ty. Analyt ics . Ins ight .38

Visualize Me Lots (>1TB) of Data

Page 39: Visualization for Security

Secur i ty. Analyt ics . Ins ight .39

Data Visualization Workflow

Overview Zoom / Filter Details on Demand

Principle by Ben Shneiderman

Page 40: Visualization for Security

Secur i ty. Analyt ics . Ins ight .40

This visualization process requires:

• Low latency, scalable backend (columnar, distributed data store)

• Efficient client-server communications and caching

• Assistance of data mining to

• Reduce overall data to look at

• Highlight relationships, patterns, and outliers

• Assist analyst in focussing on ‘important’ areas

Backend Support

Page 41: Visualization for Security

Secur i ty. Analyt ics . Ins ight .41

What I am Working On

Data Stores Analytics Forensics Models Admin

10.9.79.109 --> 3.16.204.150 10.8.24.80 --> 192.168.148.19310.8.50.85 --> 192.168.148.19310.8.48.128 --> 192.168.148.19310.9.79.6 --> 192.168.148.193

10.9.79.6

10.8.48.128

80

538.8.8.8

127.0.0.1

Anomalies

Decomposition

Data

Seasonal

Trend

Anomaly Details

“Hunt” ExplainCommunicate

Page 42: Visualization for Security

Secur i ty. Analyt ics . Ins ight .42

Visualization Principles

• Use numbers to highlight most important data

• Use visualizations to put data in context

• Show comparisons, causality, and multivariate data

• To find the right visualization, focus on: Objective, Data, Audience

• Use data context to augment data and tell a story

Visualization can be used for for presentation and/or exploration

• Exploration paradigm: Overview first, zoom and filter, details on demand

Recap

Page 43: Visualization for Security

43

[email protected]

http://slideshare.net/zrlram http://secviz.org and @secviz

Further resources:

mailto:[email protected]?subject=IBM%20Visualization
http://slideshare.net/zrlram
http://secviz.org
http://twitter.com/secviz

Recommended

Cylindrical Coordinates Security Visualization for multiple domain ... · PDF fileCylindrical Coordinates Security Visualization for multiple domain command and control botnet detection
Cylindrical Coordinates Security Visualization for multiple domain ... · PDF fileCylindrical Coordinates Security Visualization for multiple domain command and control botnet detection Documents
Introduction to Visualization for Computer Securityojg/goodall-vizsec07.pdfIntroduction to Visualization for Computer Security 5 different applications of understanding hierarchical
Introduction to Visualization for Computer Securityojg/goodall-vizsec07.pdfIntroduction to Visualization for Computer Security 5 different applications of understanding hierarchical Documents
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back Documents
Introduction to Visualization for Computer Security
Introduction to Visualization for Computer Security Documents
Sesame: Informing User Security Decisions with System Visualization
Sesame: Informing User Security Decisions with System Visualization Technology
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization Internet
Cyber Operator Perspectives on Security Visualization · 2016-08-09 · Cyber Operator Perspectives on Security Visualization Anita D‘Amico1,, Laurin Buchanan1, Drew Kirkpatrick1
Cyber Operator Perspectives on Security Visualization · 2016-08-09 · Cyber Operator Perspectives on Security Visualization Anita D‘Amico1,, Laurin Buchanan1, Drew Kirkpatrick1 Documents
Reflecting on Visualization for Cyber Security Reflecting on...Reflecting on Visualization for Cyber Security 11 Sophie J. Engle • sjengle@cs.usfca.edu Department of Computer Science
Reflecting on Visualization for Cyber Security Reflecting on...Reflecting on Visualization for Cyber Security 11 Sophie J. Engle • [email protected] Department of Computer Science Documents
Visualization and Image Processing for Cyber Securityavida.cs.wright.edu/courses/CEG7560/CEG7560_0.pdf · 2016-04-20 · • Cyber Security Visualization examples. Department of Computer
Visualization and Image Processing for Cyber Securityavida.cs.wright.edu/courses/CEG7560/CEG7560_0.pdf · 2016-04-20 · • Cyber Security Visualization examples. Department of Computer Documents
Main issues of current 3D displays - Microsoft Azure · • Collaboration. 33 Professional Education for the Security Industry Immersive visualization solutions ... 3D visualization
Main issues of current 3D displays - Microsoft Azure · • Collaboration. 33 Professional Education for the Security Industry Immersive visualization solutions ... 3D visualization Documents
2016-Cyber-Security-Report-visualization 07 MS
2016-Cyber-Security-Report-visualization 07 MS Documents
Home-Centric Visualization of Network Traffic for Security ...infovis.cs.vt.edu/oldsite/papers/VizSec04-visual.pdffective using visualization tools that take advantage of the parallel
Home-Centric Visualization of Network Traffic for Security ...infovis.cs.vt.edu/oldsite/papers/VizSec04-visual.pdffective using visualization tools that take advantage of the parallel Documents
Visualizing Threats: Network Visualization for Cyber Security
Visualizing Threats: Network Visualization for Cyber Security Technology
3D visualization in the security control center€¦ · 3D visualization in the security control center Peter Bussens – Ken Hunter Barco. 2 Professional Education for the Security
3D visualization in the security control center€¦ · 3D visualization in the security control center Peter Bussens – Ken Hunter Barco. 2 Professional Education for the Security Documents
NetSecRadar: A Visualization System for Network Security ...trust.csu.edu.cn/conference/css2013/css13-3-111.pdf · Network security visualization is a growing community of network
NetSecRadar: A Visualization System for Network Security ...trust.csu.edu.cn/conference/css2013/css13-3-111.pdf · Network security visualization is a growing community of network Documents
Supercharged graph visualization for cyber security
Supercharged graph visualization for cyber security Technology
ArcGIS and Enterprise Security - Esri · Recommended Approach. Collector. Database. Visualization. Analysis. Collector. Database. Visualization. Analysis. Collector. Database . Visualization
ArcGIS and Enterprise Security - Esri · Recommended Approach. Collector. Database. Visualization. Analysis. Collector. Database. Visualization. Analysis. Collector. Database . Visualization Documents
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security Internet