Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
IT Data Visualization: Applying Security Visualization
1. IT Data Visualization
Raffael Marty, GCIA, CISSP
Chief Security Strategist @ Splunk>
SUMIT, Michigan - October ‘08
2. Raffael Marty
• Chief Security Strategist @ Splunk>
• Looked at logs/IT data for over 10 years
- IBM Research
- Conference boards / committees
• Presenting around the world on SecViz
• Passion for Visualization
Applied Security Visualization
- http://secviz.org Paperback: 552 pages
Publisher: Addison Wesley (August, 2008)
- http://afterglow.sourceforge.net
ISBN: 0321510100
3. Agenda
• IT Data Visualization
- Security Visualization Dichotomy
- Research Dichotomy
Visualization is a more effective
• IT Data Management way of IT data management and
analysis.
- A shifted crime landscape
• Perimeter Threat
• Insider Threat
• Security Visualization Community
3
4. Visualization Questions
• Who analyzes logs?
• Who uses visualization for log analysis?
• Who has used DAVIX?
• Have you heard of SecViz.org?
• What tools are you using for log analysis?
4
6. What is Visualization?
Generate a picture from IT data
A picture is worth a thousand log records.
Explore and Inspire
Discover
Answer a Pose a New Increase Communicate Support
Question Question Efficiency Information Decisions
6
8. The 1st Dichotomy
Security Visualization
• security data • types of data
• networking protocols • perception
two domains
• routing protocols (the Internet) • optics
• security impact • color theory
Security & Visualization
• security policy • depth cue theory
• jargon • interaction theory
• use-cases • types of graphs
• are the end-users • human computer interaction
8
16. The Right Thing - Apply Good Visualization Practices
• Don't use graphics to decorate a few numbers
• Reduce data ink ratio
• Visualization principles
16
17. The 2nd Dichotomy
Some comments are based on paper reviews from
RAID 2007/08, VizSec 2007/08
Industry Academia
• don’t understand the real impact • don’t know what’s been done in industry
• get the 70% solution • don’t understand the use-cases
two worlds
• don’t think big • don’t understand the environments /
data / domain
• no time/money for real research
Industry & Academia
• can’t scale
•
•
work on simulated data
construct their own problems
• work based off of a few • use overly complicated, impractical
customer’s input solutions
• use graphs / visualization where it is not
needed
17
18. The Way Forward
• Building a secviz discipline
• Bridging the gap Security Visualization
• Learning the “other” discipline
• More academia / industry collaboration
SecViz
18
19. My Focus Areas
• Use-case oriented visualization
• IT data management
• Perimeter Threat
• Governance Risk Compliance (GRC)
• Insider Threat
• IT data visualization
• SecViz.Org
• DAVIX
19
21. A Shifted Crime Landscape
• Crimes are moving up the stack
• Insider crime Application Layer
• Large-scale spread of many small attacks Transport Layer
Questions are not known in advance!
Network Layer
• Are you prepared? Have the data when you need it!
Link Layer
• Are you monitoring enough?
Physical Layer
21
22. What Is IT Data?
/var/log/messags multi-line files
Logs /opt/log/*
/etc/syslog.conf entire files
Configurations /etc/hosts
1.3.6.1.2.1.25.3.3.1.2.2 multi-line structures
Traps & Alerts iso. org. dod. internet. mgmt. mib-2. host. hrDevice.
hrProcessorTable. hrProcessorEntry. hrProcessorLoad
ps multi-line table format
Scripts & Code netstat
File system changes hooks into the OS
Change Events Windows Registry
The IT Search Company
24. Sparklines
• "Data-intense, design-simple, word-sized graphics". Edward Tufte (2006). Beautiful Evidence. Graphics Press.
Average } Standard Deviation
• Examples: • Java Script Implementation:
- stock price over a day http://omnipotent.net/jquery.sparkline/
- access to port 80 over the last week
24
27. Three Types of Insider Threats
Information
Fraud
Leak
Sabotage
27
28. Example - Insider Threat Visualization
• More and other data sources than for • The questions are not known in advance!
the traditional security use-cases • Visualization provokes questions and
• Insiders often have legitimate access helps find answers
to machines and data. You need to log • Dynamic nature of fraud
more than the exceptions • Problem for static algorithms
• Insider crimes are often executed on • Bandits quickly adapt to fixed threshold-
the application layer. You need based detection systems
transaction data and chatty • Looking for any unusual patterns
application logs
28