16
Supercharged graph visualization for cyber security 5th May 2016 Corey Lanum / Ed Wood 09:00 am PDT 12:00 noon EDT 17:00 BST 18:00 CEST

Supercharged graph visualization for cyber security

Embed Size (px)

Citation preview

Page 1: Supercharged graph visualization for cyber security

Supercharged graph visualization for cyber security

5th May 2016

Corey Lanum / Ed Wood

09:00 am PDT12:00 noon EDT17:00 BST18:00 CEST

Page 2: Supercharged graph visualization for cyber security

Supercharged graph visualization for cyber security

5th May 2016

Corey Lanum / Ed Wood

Page 3: Supercharged graph visualization for cyber security

Agenda

● Introductions

● Some Challenges of Cyber Data

● Live Demos

● Hints and Tips

● Your Questions

Webinar will be recorded.Video will be shared tomorrow.Please submit questions via Citrix panel!

Page 4: Supercharged graph visualization for cyber security

Cambridge Intelligence

New !

• Founded in 2011

• Cambridge UK & Boston US

• We help organizations to understand connected data:

– Award-winning products

– Developer services

– Expert know-how

Page 5: Supercharged graph visualization for cyber security

• Cross-browser compatibility

• Works on any device

• A fast developer experience

• Rapid deployment

• Easy maintenance

• Full customization

• Powerful functionality

Introducing KeyLines

KeyLines is a powerful SDK for building network visualization web applications:

Page 6: Supercharged graph visualization for cyber security

‘Graph’ data

Enron email traffic

Nodes are people

Links (or ‘Edges’) are emails exchanged

Scale and colour Node using Social Network algorithms

Betweenness = number of shortest paths Nodes are on ; indicates seniority

Links scaled proportional to volume of email

Page 7: Supercharged graph visualization for cyber security

Cyber Security Data

“Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.”

Cyber Security data structures often fit very well with Graph entities and visualisations….E.g. NODES● Machines ● People● Data Centres● Malware Families● Applications ● Credentials

E.g. LINKS● Attack Vectors● Data Packets● Emails● Credentials● Vulnerabilities● Exfiltrated Data

A visual and interactive representation can efficiently uncover patterns, trends and anomalies in complex data-sets

Page 8: Supercharged graph visualization for cyber security

Size / Volume• Huge number of security events generated by SIEM and other

systems...

Challenges of Cyber Data (I)

Generated at millisecond levels of resolution;Typically stored in disparate silos that can be unwieldy to manage.

Challenge is to detect unusual behavior inside terabytes of event and attribute data, including:

● IP logs – detecting indications of infected machines or botnet zombies

● Network logs – uncover applications or users that hog bandwidth so they can optimize systems and prioritize business critical applications.

● Communications logs – for performing analysis to uncover sabotage, espionage or other unwanted activities.

● Web server logs – managing and prevent external threats, such as DDoS attacks.

Page 9: Supercharged graph visualization for cyber security

Complexity• Combination of machine and human

actors

• Subtle interactions of the When and the Where

Noise• Significant events and patterns can

be hidden in a sea of data

• Attackers will attempt to hide their behaviour !

Challenges of Cyber Data (II)

Page 10: Supercharged graph visualization for cyber security

● How to visualize cyber security data:

○ Performance demo

○ Malware demo

○ Data Breach demo

○ Combinations/Grouping demo

○ Geo/TimeBar demo

Demos

Page 11: Supercharged graph visualization for cyber security

KeyLines 3.0!

• Supercharge your charts with (Alpha)

○ Rendering speed up to 10x faster

○ Supported by ‘Big 4’ Browser brandsand most devices

○ Improves fluidity & responsivenesswith larger datasets

• Three new cyber-security demos

○ Inspire creative use of KeyLines

• New Angular directive

○ Performance and compatibility

Page 12: Supercharged graph visualization for cyber security

Your Questions (I)

“Can KeyLines work with real-time data? If so, what visual model / techniques would you recommend?”

• Yes, it does.

• The Time Bar and Tweak Layouts are designed for this.

• Try to limit the volume of data being communicated at any one time. Techniques like combos or ghosting can help.

“What is the maximum number of nodes/links you can handle?”

● HTML5 Canvas - a few thousand.

● WebGL - many tens of thousands.

● Using show/hide, around 1 million. BUT this is rarely useful.

Page 13: Supercharged graph visualization for cyber security

“How easy it is to change the shape, design and layout of nodes and edges?”

• Very easy.

• Shapes, image nodes, font icons and other designs possible.

• 6 extensible & customizable automated layouts available.

“Does WebGL handle rendering thousands of nodes and edges well on machine with say Intel HD 3000?”

• WebGL harnesses machine’s GPU and performance will vary

• For reference, demos today were using Mac Book Air on Intel HD 5000.

Your Questions (II)

Page 14: Supercharged graph visualization for cyber security

Your Questions

+ Live Questions…!

Page 15: Supercharged graph visualization for cyber security

● Cyber Security data is big, complex and noisy.

● A good cyber security visualization needs:

➔ A well thought-out visual model and defined question

➔ Functionality to overcome complexity and noise

◆ Good layouts, filtering, combos, time bar, geospatial

➔ Power to work with data at scale

● Graph visualization is the ideal tool.

We’d love to help!

Summary

Page 16: Supercharged graph visualization for cyber security

Thanks for joining us!

@CambridgeIntel Cambridge-Intelligence.com

[email protected]