Security Security administratorsadministrators

The experts need better tools The experts need better tools too!too!

AgendaAgenda

Projects?Projects?– Final conflicts?Final conflicts?– Report and presentationsReport and presentations

Security adminsSecurity admins General wrap-upGeneral wrap-up

Report and Report and presentationpresentation Intro and motivationIntro and motivation Describe the study - tasks, surveys, Describe the study - tasks, surveys,

how many users, etc.how many users, etc. Describe the results – tables of data, Describe the results – tables of data,

issues observed, etc.issues observed, etc. Describe the implications – what do Describe the implications – what do

the results mean? What would the results mean? What would someone do with these results?someone do with these results?

Future work – how would you modify Future work – how would you modify study based on your pilot? What future study based on your pilot? What future studies does this suggest?studies does this suggest?

Security Administrator Security Administrator KnowledgeKnowledge Growing more and more difficultGrowing more and more difficult Decade ago: Decade ago:

– possible for intimate knowledge of smaller possible for intimate knowledge of smaller computer systems, fewer applications and computer systems, fewer applications and infrastructures to supportinfrastructures to support

– An intruder also likely needed intimate knowledge, An intruder also likely needed intimate knowledge, less malicious code out thereless malicious code out there

Now: Now: – large operating systems, 10s of thousands of files, large operating systems, 10s of thousands of files,

large infrastructureslarge infrastructures– Widely distributed attack tools, very Widely distributed attack tools, very

interconnected networks, infection occurs interconnected networks, infection occurs everywhere all the timeeverywhere all the time

Slides adapted from Matthew DeSantis, CMU

(Some) tools of the (Some) tools of the tradetrade Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS)

– Monitor network traffic and alert to suspicious patternsMonitor network traffic and alert to suspicious patterns Scanning toolsScanning tools

– Look for known vulnerabilities in networks and Look for known vulnerabilities in networks and machinesmachines

File/host integrity toolsFile/host integrity tools– Virus detectionVirus detection– Filesystem monitoringFilesystem monitoring

Home made scriptsHome made scripts– Filter and process log files, run services, etc.Filter and process log files, run services, etc.

Information sourcesInformation sources– Descriptions of attacks, source code, etc.Descriptions of attacks, source code, etc.

Admin challengesAdmin challenges

Problems complex, still require human Problems complex, still require human judgement to determine and solvejudgement to determine and solve

Information overloadInformation overload– Large numbers of alerts and emailsLarge numbers of alerts and emails– Large log filesLarge log files– Many tools to help with different tasksMany tools to help with different tasks

Usability still not an aspect of these Usability still not an aspect of these toolstools– Command lines ruleCommand lines rule– No standards for tool output, difficult to No standards for tool output, difficult to

synthesizesynthesize

Solutions?Solutions?

Identify work practices and needs of these Identify work practices and needs of these usersusers– What is the implications of having security What is the implications of having security

experts as users?experts as users?– What usability properties do tools need to What usability properties do tools need to

have?have? VisualizationVisualization

– Help users identify patterns in high volume dataHelp users identify patterns in high volume data– Synthesize data from multiple sources to Synthesize data from multiple sources to

provide higher level viewsprovide higher level views– Challenge: another thing to attackChallenge: another thing to attack

Example - NVisionIPExample - NVisionIPhttp://security.ncsa.uiuc.edu/distribution/NVisionIPDownLoad.html

VisualizVisualize traffic e traffic flows flows to/from to/from every every machinmachine on a e on a large large computcomputer er networknetwork

RumintRumint

Visualize Visualize network network packets packets

http://www.rumint.org/

RainstorRainstorm IDSm IDS Visualize Visualize

IDS alarm IDS alarm events over events over an entire an entire network network spacespace

Wormhole detectionWormhole detection

Weichao Wang and Aidong Lu, Weichao Wang and Aidong Lu, UNCCUNCC

What else?What else?

Advantages, disadvantages of Advantages, disadvantages of visualizations?visualizations?

Why don’t sysadmins use more of Why don’t sysadmins use more of these visualization tools?these visualization tools?

What else could potentially make What else could potentially make security administrator’s jobs security administrator’s jobs easier?easier?

What do end user’s need to know What do end user’s need to know about security administrators?about security administrators?

Course wrap-upCourse wrap-up

Big lessons:Big lessons:– HCI can play a role in security and HCI can play a role in security and

privacy solutionsprivacy solutions– Security and privacy are secondary tasksSecurity and privacy are secondary tasks– Usability is not necessarily contrary to Usability is not necessarily contrary to

securitysecurity– As with anything, tradeoffs in As with anything, tradeoffs in

approachesapproaches– Good user-centered design can improve Good user-centered design can improve

today’s toolstoday’s tools

So what have you So what have you learned?learned? What are the biggest lessons you take What are the biggest lessons you take

away from this course?away from this course? How will you incorporate what you How will you incorporate what you

have learned into your job or life?have learned into your job or life? What are important new themes to What are important new themes to

study in this area?study in this area?– What needs additional focus?What needs additional focus?– anything we didn’t cover you think is really anything we didn’t cover you think is really

important?important?

Next weekNext week

Give me 24 hours to give you Give me 24 hours to give you feedback on a project draftfeedback on a project draft

Presentations: 6:30pm in CHHS Presentations: 6:30pm in CHHS 285285