visualization for security

Raffael Marty, CEO

Visualization for Security

Blue Coat - Sunnyvale August, 2014

Secur i ty. Analyt ics . Ins ight .2

I am Raffy - I do Viz!

IBM Research


What is Security Visualization?

Treemap of a Firewall Log

• if found(machine)

• connect on port 135

• ping scan machines (echo requests)

Showing MS Blaster:


Security Visualization Can Be Beautiful

Part of Enron Email dataset

sender recipient


Security Visualization - Sometimes Abstract

Parallel Coordinates of an IDS log

Can you find anythinginteresting?


Security Visualization

One destinations isgetting hammered!

Parallel Coordinates of an IDS log


Security Visualization

One destinations isgetting hammered! !

Maybe a false positive?

Visualization


Basic Visualization Principles

How many 9’s?


How Many Nines?


What Product has Highest Profit? And Which has Worst Sales?


Table Charts

• The exact values are not important

• Comparisons • Highlights


Show Context

42


Show Context

42 is just a number

and means nothing without context


Use Numbers To Highlight Most Important Parts of Data

NumbersSummaries


Visualization Creates Context

Visualization Puts Numbers (Data) in Context!


Visualization To …

Present / Communicate Discover / Explore

Data Presentation


• Show comparisons, contrasts, differences • Show causality, mechanism, explanation, systematic

structure. • Show multivariate data; that is, show more than 1 or 2

variables. !

by Edward Tufte

Principals of Analytic Design


Comparison (to Normal)

DNS Reflection • 1:100 Amplification with DNS zone transfer for ripe.net domain • 309Gbps for 28 minutes, 30956 open resolver IPs, 3 networks that allowed

spoofing, 5-7 compromised servers

March 20, 2013


Causality / Explanation


Multi-Variate Data


Choosing Visualizations

Objective AudienceData

Charts

26


More Advanced Graphs

• Parallel Coordinates • Treemaps • Link Graphs • etc.


Additional information about objects, such as:

• machine • roles • criticality • location • owner • …

• user • roles • office location • …

Add Context

source destination

machine and user context

machine role

user role


Traffic Flow Analysis With Context


Intra-Role Anomaly - Random Order

users

time

dc(machines)


Add Context - User Roles

Administrator

Sales

Development

Finance

Admin???


http://www.scifiinterfaces.com/

• Black background • Blue or green colors • Glow

Aesthetics Matter

http://www.scifiinterfaces.com/

Dashboards


• Audience, audience, audience!

• Comprehensive Information (enough context)

• Highlight important data

• Use graphics when appropriate

• Good choice of graphics and design

• Aesthetically pleasing

• Enough information to decide if action is necessary

• No scrolling

• Real-time vs. batch? (Refresh-rates)

• Clear organization

Dashboard Design Principles


Netflix Dashboard

http://blog.fusioncharts.com/2014/04/how-netflix-plans-to-improve-its-operational-visibility-with-real-time-data-visualization/#more-7243

37

Data Discovery & Exploration


Visualize Me Lots (>1TB) of Data


Data Visualization Workflow

Overview Zoom / Filter Details on Demand

Principle by Ben Shneiderman


This visualization process requires:

• Low latency, scalable backend (columnar, distributed data store)

• Efficient client-server communications and caching

• Assistance of data mining to

• Reduce overall data to look at

• Highlight relationships, patterns, and outliers

• Assist analyst in focussing on ‘important’ areas

Backend Support


What I am Working On

Data Stores Analytics Forensics Models Admin

10.9.79.109 --> 3.16.204.150 10.8.24.80 --> 192.168.148.19310.8.50.85 --> 192.168.148.19310.8.48.128 --> 192.168.148.19310.9.79.6 --> 192.168.148.193

10.9.79.6

10.8.48.128

80

538.8.8.8

127.0.0.1

Anomalies

Decomposition

Data

Seasonal

Trend

Anomaly Details

“Hunt” ExplainCommunicate


Visualization Principles

• Use numbers to highlight most important data

• Use visualizations to put data in context

• Show comparisons, causality, and multivariate data

• To find the right visualization, focus on: Objective, Data, Audience

• Use data context to augment data and tell a story

Visualization can be used for for presentation and/or exploration

• Exploration paradigm: Overview first, zoom and filter, details on demand

Recap

43

[email protected]

http://slideshare.net/zrlram http://secviz.org and @secviz

Further resources:

mailto:[email protected]?subject=IBM%20Visualization

http://slideshare.net/zrlram

http://secviz.org

http://twitter.com/secviz

visualization for security

Internet

data

highlight

context

security

time

gt

insight

hammered