Upload
cambridge-intelligence
View
398
Download
1
Embed Size (px)
Citation preview
Supercharged graph visualization for cyber security
5th May 2016
Corey Lanum / Ed Wood
09:00 am PDT12:00 noon EDT17:00 BST18:00 CEST
Supercharged graph visualization for cyber security
5th May 2016
Corey Lanum / Ed Wood
Agenda
● Introductions
● Some Challenges of Cyber Data
● Live Demos
● Hints and Tips
● Your Questions
Webinar will be recorded.Video will be shared tomorrow.Please submit questions via Citrix panel!
Cambridge Intelligence
New !
• Founded in 2011
• Cambridge UK & Boston US
• We help organizations to understand connected data:
– Award-winning products
– Developer services
– Expert know-how
• Cross-browser compatibility
• Works on any device
• A fast developer experience
• Rapid deployment
• Easy maintenance
• Full customization
• Powerful functionality
Introducing KeyLines
KeyLines is a powerful SDK for building network visualization web applications:
‘Graph’ data
Enron email traffic
Nodes are people
Links (or ‘Edges’) are emails exchanged
Scale and colour Node using Social Network algorithms
Betweenness = number of shortest paths Nodes are on ; indicates seniority
Links scaled proportional to volume of email
Cyber Security Data
“Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.”
Cyber Security data structures often fit very well with Graph entities and visualisations….E.g. NODES● Machines ● People● Data Centres● Malware Families● Applications ● Credentials
E.g. LINKS● Attack Vectors● Data Packets● Emails● Credentials● Vulnerabilities● Exfiltrated Data
A visual and interactive representation can efficiently uncover patterns, trends and anomalies in complex data-sets
Size / Volume• Huge number of security events generated by SIEM and other
systems...
Challenges of Cyber Data (I)
Generated at millisecond levels of resolution;Typically stored in disparate silos that can be unwieldy to manage.
Challenge is to detect unusual behavior inside terabytes of event and attribute data, including:
● IP logs – detecting indications of infected machines or botnet zombies
● Network logs – uncover applications or users that hog bandwidth so they can optimize systems and prioritize business critical applications.
● Communications logs – for performing analysis to uncover sabotage, espionage or other unwanted activities.
● Web server logs – managing and prevent external threats, such as DDoS attacks.
Complexity• Combination of machine and human
actors
• Subtle interactions of the When and the Where
Noise• Significant events and patterns can
be hidden in a sea of data
• Attackers will attempt to hide their behaviour !
Challenges of Cyber Data (II)
● How to visualize cyber security data:
○ Performance demo
○ Malware demo
○ Data Breach demo
○ Combinations/Grouping demo
○ Geo/TimeBar demo
Demos
KeyLines 3.0!
• Supercharge your charts with (Alpha)
○ Rendering speed up to 10x faster
○ Supported by ‘Big 4’ Browser brandsand most devices
○ Improves fluidity & responsivenesswith larger datasets
• Three new cyber-security demos
○ Inspire creative use of KeyLines
• New Angular directive
○ Performance and compatibility
Your Questions (I)
“Can KeyLines work with real-time data? If so, what visual model / techniques would you recommend?”
• Yes, it does.
• The Time Bar and Tweak Layouts are designed for this.
• Try to limit the volume of data being communicated at any one time. Techniques like combos or ghosting can help.
“What is the maximum number of nodes/links you can handle?”
● HTML5 Canvas - a few thousand.
● WebGL - many tens of thousands.
● Using show/hide, around 1 million. BUT this is rarely useful.
“How easy it is to change the shape, design and layout of nodes and edges?”
• Very easy.
• Shapes, image nodes, font icons and other designs possible.
• 6 extensible & customizable automated layouts available.
“Does WebGL handle rendering thousands of nodes and edges well on machine with say Intel HD 3000?”
• WebGL harnesses machine’s GPU and performance will vary
• For reference, demos today were using Mac Book Air on Intel HD 5000.
Your Questions (II)
Your Questions
+ Live Questions…!
● Cyber Security data is big, complex and noisy.
● A good cyber security visualization needs:
➔ A well thought-out visual model and defined question
➔ Functionality to overcome complexity and noise
◆ Good layouts, filtering, combos, time bar, geospatial
➔ Power to work with data at scale
● Graph visualization is the ideal tool.
We’d love to help!
Summary