Visualization for Security
-
Upload
raffael-marty -
Category
Internet
-
view
3.518 -
download
4
description
Transcript of Visualization for Security
![Page 1: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/1.jpg)
Raffael Marty, CEO
Visualization for Security
Blue Coat - Sunnyvale August, 2014
![Page 2: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/2.jpg)
Secur i ty. Analyt ics . Ins ight .2
I am Raffy - I do Viz!
IBM Research
![Page 3: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/3.jpg)
Secur i ty. Analyt ics . Ins ight .3
What is Security Visualization?
Treemap of a Firewall Log
• if found(machine)
• connect on port 135
• ping scan machines (echo requests)
Showing MS Blaster:
![Page 4: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/4.jpg)
Secur i ty. Analyt ics . Ins ight .4
Security Visualization Can Be Beautiful
Part of Enron Email dataset
sender recipient
![Page 5: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/5.jpg)
Secur i ty. Analyt ics . Ins ight .5
Security Visualization - Sometimes Abstract
Parallel Coordinates of an IDS log
Can you find anythinginteresting?
![Page 6: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/6.jpg)
Secur i ty. Analyt ics . Ins ight .6
Security Visualization
One destinations isgetting hammered!
Parallel Coordinates of an IDS log
![Page 7: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/7.jpg)
Secur i ty. Analyt ics . Ins ight .7
Security Visualization
One destinations isgetting hammered! !
Maybe a false positive?
![Page 8: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/8.jpg)
Visualization
![Page 9: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/9.jpg)
Secur i ty. Analyt ics . Ins ight .9
Basic Visualization Principles
How many 9’s?
![Page 10: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/10.jpg)
Secur i ty. Analyt ics . Ins ight .10
How Many Nines?
![Page 11: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/11.jpg)
Secur i ty. Analyt ics . Ins ight .11
What Product has Highest Profit? And Which has Worst Sales?
![Page 12: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/12.jpg)
Secur i ty. Analyt ics . Ins ight .12
Table Charts
• The exact values are not important
• Comparisons • Highlights
![Page 13: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/13.jpg)
Secur i ty. Analyt ics . Ins ight .13
Show Context
42
![Page 14: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/14.jpg)
Secur i ty. Analyt ics . Ins ight .14
Show Context
42 is just a number
and means nothing without context
![Page 15: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/15.jpg)
![Page 16: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/16.jpg)
Secur i ty. Analyt ics . Ins ight .16
Use Numbers To Highlight Most Important Parts of Data
NumbersSummaries
![Page 17: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/17.jpg)
Secur i ty. Analyt ics . Ins ight .17
Visualization Creates Context
Visualization Puts Numbers (Data) in Context!
![Page 18: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/18.jpg)
Secur i ty. Analyt ics . Ins ight .18
Visualization To …
Present / Communicate Discover / Explore
![Page 19: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/19.jpg)
Data Presentation
![Page 20: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/20.jpg)
Secur i ty. Analyt ics . Ins ight .20
• Show comparisons, contrasts, differences • Show causality, mechanism, explanation, systematic
structure. • Show multivariate data; that is, show more than 1 or 2
variables. !
by Edward Tufte
Principals of Analytic Design
![Page 21: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/21.jpg)
Secur i ty. Analyt ics . Ins ight .21
Comparison (to Normal)
DNS Reflection • 1:100 Amplification with DNS zone transfer for ripe.net domain • 309Gbps for 28 minutes, 30956 open resolver IPs, 3 networks that allowed
spoofing, 5-7 compromised servers
March 20, 2013
![Page 22: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/22.jpg)
Secur i ty. Analyt ics . Ins ight .22
Causality / Explanation
![Page 23: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/23.jpg)
Secur i ty. Analyt ics . Ins ight .23
Multi-Variate Data
![Page 24: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/24.jpg)
Secur i ty. Analyt ics . Ins ight .24
Choosing Visualizations
Objective AudienceData
![Page 25: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/25.jpg)
25
![Page 26: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/26.jpg)
Charts
26
![Page 27: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/27.jpg)
Secur i ty. Analyt ics . Ins ight .27
More Advanced Graphs
• Parallel Coordinates • Treemaps • Link Graphs • etc.
![Page 28: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/28.jpg)
Secur i ty. Analyt ics . Ins ight .28
Additional information about objects, such as:
• machine • roles • criticality • location • owner • …
• user • roles • office location • …
Add Context
source destination
machine and user context
machine role
user role
![Page 29: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/29.jpg)
Secur i ty. Analyt ics . Ins ight .29
Traffic Flow Analysis With Context
![Page 30: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/30.jpg)
Secur i ty. Analyt ics . Ins ight .30
Intra-Role Anomaly - Random Order
users
time
dc(machines)
![Page 31: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/31.jpg)
Secur i ty. Analyt ics . Ins ight .31
Add Context - User Roles
Administrator
Sales
Development
Finance
Admin???
![Page 32: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/32.jpg)
Secur i ty. Analyt ics . Ins ight .32
http://www.scifiinterfaces.com/
• Black background • Blue or green colors • Glow
Aesthetics Matter
![Page 33: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/33.jpg)
Dashboards
![Page 34: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/34.jpg)
Secur i ty. Analyt ics . Ins ight .34
• Audience, audience, audience!
• Comprehensive Information (enough context)
• Highlight important data
• Use graphics when appropriate
• Good choice of graphics and design
• Aesthetically pleasing
• Enough information to decide if action is necessary
• No scrolling
• Real-time vs. batch? (Refresh-rates)
• Clear organization
Dashboard Design Principles
![Page 35: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/35.jpg)
Secur i ty. Analyt ics . Ins ight .35
Netflix Dashboard
http://blog.fusioncharts.com/2014/04/how-netflix-plans-to-improve-its-operational-visibility-with-real-time-data-visualization/#more-7243
![Page 36: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/36.jpg)
Secur i ty. Analyt ics . Ins ight .36
![Page 37: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/37.jpg)
37
Data Discovery & Exploration
![Page 38: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/38.jpg)
Secur i ty. Analyt ics . Ins ight .38
Visualize Me Lots (>1TB) of Data
![Page 39: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/39.jpg)
Secur i ty. Analyt ics . Ins ight .39
Data Visualization Workflow
Overview Zoom / Filter Details on Demand
Principle by Ben Shneiderman
![Page 40: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/40.jpg)
Secur i ty. Analyt ics . Ins ight .40
This visualization process requires:
• Low latency, scalable backend (columnar, distributed data store)
• Efficient client-server communications and caching
• Assistance of data mining to
• Reduce overall data to look at
• Highlight relationships, patterns, and outliers
• Assist analyst in focussing on ‘important’ areas
Backend Support
![Page 41: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/41.jpg)
Secur i ty. Analyt ics . Ins ight .41
What I am Working On
Data Stores Analytics Forensics Models Admin
10.9.79.109 --> 3.16.204.150 10.8.24.80 --> 192.168.148.19310.8.50.85 --> 192.168.148.19310.8.48.128 --> 192.168.148.19310.9.79.6 --> 192.168.148.193
10.9.79.6
10.8.48.128
80
538.8.8.8
127.0.0.1
Anomalies
Decomposition
Data
Seasonal
Trend
Anomaly Details
“Hunt” ExplainCommunicate
![Page 42: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/42.jpg)
Secur i ty. Analyt ics . Ins ight .42
Visualization Principles
• Use numbers to highlight most important data
• Use visualizations to put data in context
• Show comparisons, causality, and multivariate data
• To find the right visualization, focus on: Objective, Data, Audience
• Use data context to augment data and tell a story
Visualization can be used for for presentation and/or exploration
• Exploration paradigm: Overview first, zoom and filter, details on demand
Recap
![Page 43: Visualization for Security](https://reader033.fdocuments.net/reader033/viewer/2022052521/5453e5e0b1af9f95228b47f6/html5/thumbnails/43.jpg)
43
http://slideshare.net/zrlram http://secviz.org and @secviz
Further resources: