SlideShare uma empresa Scribd logo

IT Data Visualization - Sumit 2008

Raffael Marty
Raffael Marty

IT data visualization for - Perimeter Threat - Insider Threat More on security visualization at http://secviz.org

TecnologiaEducação
1 de 35
Baixar para ler offline
IT Data Visualization Raffael Marty, GCIA, CISSP Chief Security Strategist @ Splunk> SUMIT, Michigan - October ‘08
Raffael Marty • Chief Security Strategist @ Splunk> • Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees • Presenting around the world on SecViz • Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
Agenda • IT Data Visualization - Security Visualization Dichotomy - Research Dichotomy Visualization is a more effective • IT Data Management way of IT data management and analysis. - A shifted crime landscape • Perimeter Threat • Insider Threat • Security Visualization Community 3
Visualization Questions • Who analyzes logs? • Who uses visualization for log analysis? • Who has used DAVIX? • Have you heard of SecViz.org? • What tools are you using for log analysis? 4
IT Data Visualization Applied Security Visualization, Chapter 3
What is Visualization? Generate a picture from IT data A picture is worth a thousand log records. Explore and Inspire Discover Answer a Pose a New Increase Communicate Support Question Question Efficiency Information Decisions 6
Information Visualization Process Capture Process Visualize 7
The 1st Dichotomy Security Visualization • security data • types of data • networking protocols • perception two domains • routing protocols (the Internet) • optics • security impact • color theory Security & Visualization • security policy • depth cue theory • jargon • interaction theory • use-cases • types of graphs • are the end-users • human computer interaction 8
The Failure - New Graphs 9
The Right Thing - Reuse Graphs 10
The Failure - The Wrong Graph 11
The Right Thing - Adequate Graphs 12
The Failure - The Wrong Integration /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Using proprietary data format <plist version="1.0"> <dict> <key>_name</key> • Provide parsers for various data formats <dict> <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> • does not scale <string>YES</string> <key>_order</key> <string>0</string> </dict> • is probably buggy / incomplete <key>bsd_name</key> <dict> <key>_order</key> <string>62</string> • Use wrong data access paradigm </dict> <key>detachable_drive</key> <dict> • complex configuration <key>_order</key> <string>59</string> </dict> e.g., needs an SSH connection <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 13
The Right Thing - KISS /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Keep It Simple Stupid <plist version="1.0"> <dict> <key>_name</key> <dict> • Use CSV input <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> <string>YES</string> • Use files as input <key>_order</key> <string>0</string> </dict> <key>bsd_name</key> # Using node sizes: • Offload to other tools <dict> <key>_order</key> <string>62</string> size.source=1; </dict> • parsers <key>detachable_drive</key> <dict> size.target=200 <key>_order</key> <string>59</string> maxNodeSize=0.2 • data conversions </dict> <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 14
The Failure - Unnecessary Ink 15
The Right Thing - Apply Good Visualization Practices • Don't use graphics to decorate a few numbers • Reduce data ink ratio • Visualization principles 16
The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases two worlds • don’t think big • don’t understand the environments / data / domain • no time/money for real research Industry & Academia • can’t scale • • work on simulated data construct their own problems • work based off of a few • use overly complicated, impractical customer’s input solutions • use graphs / visualization where it is not needed 17
The Way Forward • Building a secviz discipline • Bridging the gap Security Visualization • Learning the “other” discipline • More academia / industry collaboration SecViz 18
My Focus Areas • Use-case oriented visualization • IT data management • Perimeter Threat • Governance Risk Compliance (GRC) • Insider Threat • IT data visualization • SecViz.Org • DAVIX 19
IT Data Management
A Shifted Crime Landscape • Crimes are moving up the stack • Insider crime Application Layer • Large-scale spread of many small attacks Transport Layer Questions are not known in advance! Network Layer • Are you prepared? Have the data when you need it! Link Layer • Are you monitoring enough? Physical Layer 21
What Is IT Data? /var/log/messags multi-line files Logs /opt/log/* /etc/syslog.conf entire files Configurations /etc/hosts 1.3.6.1.2.1.25.3.3.1.2.2 multi-line structures Traps & Alerts iso. org. dod. internet. mgmt. mib-2. host. hrDevice. hrProcessorTable. hrProcessorEntry. hrProcessorLoad ps multi-line table format Scripts & Code netstat File system changes hooks into the OS Change Events Windows Registry The IT Search Company
Perimeter Threat Applied Security Visualization, Chapter 6
Sparklines • "Data-intense, design-simple, word-sized graphics". Edward Tufte (2006). Beautiful Evidence. Graphics Press. Average } Standard Deviation • Examples: • Java Script Implementation: - stock price over a day http://omnipotent.net/jquery.sparkline/ - access to port 80 over the last week 24
Port Sparklines Source IP Destination IP 25
Insider Threat Applied Security Visualization, Chapter 8
Three Types of Insider Threats Information Fraud Leak Sabotage 27
Example - Insider Threat Visualization • More and other data sources than for • The questions are not known in advance! the traditional security use-cases • Visualization provokes questions and • Insiders often have legitimate access helps find answers to machines and data. You need to log • Dynamic nature of fraud more than the exceptions • Problem for static algorithms • Insider crimes are often executed on • Bandits quickly adapt to fixed threshold- the application layer. You need based detection systems transaction data and chatty • Looking for any unusual patterns application logs 28
User Activity Color indicates failed logins High ratio of failed logins 29
30
Security Visualization Community
SecViz - Security Visualization This is a place to share, discuss, challenge, and learn about security visualization.
V D X Data Analysis and Visualization Linux davix.secviz.org
Tools Capture Processing Visualization - Network tools - Shell tools - Network Traffic ‣ Argus ‣ awk, grep, sed ‣ EtherApe - Graphic preprocessing ‣ InetVis ‣ Snort ‣ tnv ‣ Wireshark ‣ Afterglow - Generic - Logging ‣ LGL ‣ Afterglow ‣ syslog-ng - Date enrichment ‣ Treemap - Fetching data ‣ geoiplookup ‣ Mondrian ‣ wget ‣ whois/gwhois ‣ R Project ‣ ftp ‣ scp * Non-concluding list of tools
Thank You! raffy @ splunk . com

Recomendados

Security Research2.0 - FIT 2008
Security Research2.0 - FIT 2008Security Research2.0 - FIT 2008
Security Research2.0 - FIT 2008
Raffael Marty
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
ShengWen Chiou
 
Caching techniques in python, europython2010
Caching techniques in python, europython2010Caching techniques in python, europython2010
Caching techniques in python, europython2010
Michael Domanski
 
HTML5 - getting started
HTML5 - getting startedHTML5 - getting started
HTML5 - getting started
Ted Drake
 
MongoDC 2012: How MongoDB Powers Doodle or Die
MongoDC 2012: How MongoDB Powers Doodle or DieMongoDC 2012: How MongoDB Powers Doodle or Die
MongoDC 2012: How MongoDB Powers Doodle or Die
MongoDB
 
MongoD Essentials
MongoD EssentialsMongoD Essentials
MongoD Essentials
zahid-mian
 
Html5
Html5Html5
Html5
Mario Delgado
 
MongoDB dessi-codemotion
MongoDB dessi-codemotionMongoDB dessi-codemotion
MongoDB dessi-codemotion
Massimiliano Dessì
 

Recomendados

Security Research2.0 - FIT 2008
Security Research2.0 - FIT 2008Security Research2.0 - FIT 2008
Security Research2.0 - FIT 2008
Raffael Marty
 
iOS Keychain 介紹
iOS Keychain 介紹iOS Keychain 介紹
iOS Keychain 介紹
ShengWen Chiou
 
Caching techniques in python, europython2010
Caching techniques in python, europython2010Caching techniques in python, europython2010
Caching techniques in python, europython2010
Michael Domanski
 
HTML5 - getting started
HTML5 - getting startedHTML5 - getting started
HTML5 - getting started
Ted Drake
 
MongoDC 2012: How MongoDB Powers Doodle or Die
MongoDC 2012: How MongoDB Powers Doodle or DieMongoDC 2012: How MongoDB Powers Doodle or Die
MongoDC 2012: How MongoDB Powers Doodle or Die
MongoDB
 
MongoD Essentials
MongoD EssentialsMongoD Essentials
MongoD Essentials
zahid-mian
 
Html5
Html5Html5
Html5
Mario Delgado
 
MongoDB dessi-codemotion
MongoDB dessi-codemotionMongoDB dessi-codemotion
MongoDB dessi-codemotion
Massimiliano Dessì
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
Ari Elias-Bachrach
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
Designing a Secure Cocoa App
Designing a Secure Cocoa AppDesigning a Secure Cocoa App
Designing a Secure Cocoa App
Graham Lee
 
Internal training - Eda
Internal training - EdaInternal training - Eda
Internal training - Eda
Tony Vo
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
Jonathan Levin
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
DataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax: Enabling Search in your Cassandra Application with DataStax EnterpriseDataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax Academy
 
Rails Tips and Best Practices
Rails Tips and Best PracticesRails Tips and Best Practices
Rails Tips and Best Practices
David Keener
 
Scala Frustrations
Scala FrustrationsScala Frustrations
Scala Frustrations
takezoe
 
Cryptography and encryption and security network
Cryptography and encryption and security networkCryptography and encryption and security network
Cryptography and encryption and security network
NirajKumar620142
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting Data
Red Gate Software
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
Dave Stokes
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
DrupalCamp Kyiv
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
Antonios Chatzipavlis
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
Building Better Applications with Data::Manager
Building Better Applications with Data::ManagerBuilding Better Applications with Data::Manager
Building Better Applications with Data::Manager
Jay Shirley
 
Onward15
Onward15Onward15
Onward15
sarah_nadi
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
Skytap Cloud
 
Delegated Configuration with Multiple Hiera Databases - PuppetConf 2014
Delegated Configuration with Multiple Hiera Databases - PuppetConf 2014Delegated Configuration with Multiple Hiera Databases - PuppetConf 2014
Delegated Configuration with Multiple Hiera Databases - PuppetConf 2014
Puppet
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
Raffael Marty
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 

Mais conteúdo relacionado

Semelhante a IT Data Visualization - Sumit 2008

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
 
Internal training - Eda
Internal training - EdaInternal training - Eda
Internal training - Eda
Tony Vo
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
Jonathan Levin
 
Cryptography and encryption and security network
Cryptography and encryption and security networkCryptography and encryption and security network
Cryptography and encryption and security network
NirajKumar620142
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
Antonios Chatzipavlis
 
Building Better Applications with Data::Manager
Building Better Applications with Data::ManagerBuilding Better Applications with Data::Manager
Building Better Applications with Data::Manager
Jay Shirley
 

Semelhante a IT Data Visualization - Sumit 2008 (20)

Big security for big data
Big security for big dataBig security for big data
Big security for big data
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
Designing a Secure Cocoa App
Designing a Secure Cocoa AppDesigning a Secure Cocoa App
Designing a Secure Cocoa App
 
Internal training - Eda
Internal training - EdaInternal training - Eda
Internal training - Eda
 
Scaling MySQL Strategies for Developers
Scaling MySQL Strategies for DevelopersScaling MySQL Strategies for Developers
Scaling MySQL Strategies for Developers
 
Rails Security
Rails SecurityRails Security
Rails Security
 
DataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax: Enabling Search in your Cassandra Application with DataStax EnterpriseDataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
DataStax: Enabling Search in your Cassandra Application with DataStax Enterprise
 
Rails Tips and Best Practices
Rails Tips and Best PracticesRails Tips and Best Practices
Rails Tips and Best Practices
 
Scala Frustrations
Scala FrustrationsScala Frustrations
Scala Frustrations
 
Cryptography and encryption and security network
Cryptography and encryption and security networkCryptography and encryption and security network
Cryptography and encryption and security network
 
Steve Jones - Encrypting Data
Steve Jones - Encrypting DataSteve Jones - Encrypting Data
Steve Jones - Encrypting Data
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Building Better Applications with Data::Manager
Building Better Applications with Data::ManagerBuilding Better Applications with Data::Manager
Building Better Applications with Data::Manager
 
Onward15
Onward15Onward15
Onward15
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
 
Delegated Configuration with Multiple Hiera Databases - PuppetConf 2014
Delegated Configuration with Multiple Hiera Databases - PuppetConf 2014Delegated Configuration with Multiple Hiera Databases - PuppetConf 2014
Delegated Configuration with Multiple Hiera Databases - PuppetConf 2014
 

Mais de Raffael Marty

Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
Raffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 

Mais de Raffael Marty (20)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Último (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

IT Data Visualization - Sumit 2008

  • 1. IT Data Visualization Raffael Marty, GCIA, CISSP Chief Security Strategist @ Splunk> SUMIT, Michigan - October ‘08
  • 2. Raffael Marty • Chief Security Strategist @ Splunk> • Looked at logs/IT data for over 10 years - IBM Research - Conference boards / committees • Presenting around the world on SecViz • Passion for Visualization Applied Security Visualization - http://secviz.org Paperback: 552 pages Publisher: Addison Wesley (August, 2008) - http://afterglow.sourceforge.net ISBN: 0321510100
  • 3. Agenda • IT Data Visualization - Security Visualization Dichotomy - Research Dichotomy Visualization is a more effective • IT Data Management way of IT data management and analysis. - A shifted crime landscape • Perimeter Threat • Insider Threat • Security Visualization Community 3
  • 4. Visualization Questions • Who analyzes logs? • Who uses visualization for log analysis? • Who has used DAVIX? • Have you heard of SecViz.org? • What tools are you using for log analysis? 4
  • 5. IT Data Visualization Applied Security Visualization, Chapter 3
  • 6. What is Visualization? Generate a picture from IT data A picture is worth a thousand log records. Explore and Inspire Discover Answer a Pose a New Increase Communicate Support Question Question Efficiency Information Decisions 6
  • 7. Information Visualization Process Capture Process Visualize 7
  • 8. The 1st Dichotomy Security Visualization • security data • types of data • networking protocols • perception two domains • routing protocols (the Internet) • optics • security impact • color theory Security & Visualization • security policy • depth cue theory • jargon • interaction theory • use-cases • types of graphs • are the end-users • human computer interaction 8
  • 9. The Failure - New Graphs 9
  • 10. The Right Thing - Reuse Graphs 10
  • 11. The Failure - The Wrong Graph 11
  • 12. The Right Thing - Adequate Graphs 12
  • 13. The Failure - The Wrong Integration /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Using proprietary data format <plist version="1.0"> <dict> <key>_name</key> • Provide parsers for various data formats <dict> <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> • does not scale <string>YES</string> <key>_order</key> <string>0</string> </dict> • is probably buggy / incomplete <key>bsd_name</key> <dict> <key>_order</key> <string>62</string> • Use wrong data access paradigm </dict> <key>detachable_drive</key> <dict> • complex configuration <key>_order</key> <string>59</string> </dict> e.g., needs an SSH connection <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 13
  • 14. The Right Thing - KISS /usr/share/man/man5/launchd.plist.5 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> • Keep It Simple Stupid <plist version="1.0"> <dict> <key>_name</key> <dict> • Use CSV input <key>_isColumn</key> <string>YES</string> <key>_isOutlineColumn</key> <string>YES</string> • Use files as input <key>_order</key> <string>0</string> </dict> <key>bsd_name</key> # Using node sizes: • Offload to other tools <dict> <key>_order</key> <string>62</string> size.source=1; </dict> • parsers <key>detachable_drive</key> <dict> size.target=200 <key>_order</key> <string>59</string> maxNodeSize=0.2 • data conversions </dict> <key>device_manufacturer</key> <dict> <key>_order</key> <string>41</string> </dict> <key>device_model</key> <dict> <key>_order</key> <string>42</string> </dict> <key>device_revision</key> 14
  • 15. The Failure - Unnecessary Ink 15
  • 16. The Right Thing - Apply Good Visualization Practices • Don't use graphics to decorate a few numbers • Reduce data ink ratio • Visualization principles 16
  • 17. The 2nd Dichotomy Some comments are based on paper reviews from RAID 2007/08, VizSec 2007/08 Industry Academia • don’t understand the real impact • don’t know what’s been done in industry • get the 70% solution • don’t understand the use-cases two worlds • don’t think big • don’t understand the environments / data / domain • no time/money for real research Industry & Academia • can’t scale • • work on simulated data construct their own problems • work based off of a few • use overly complicated, impractical customer’s input solutions • use graphs / visualization where it is not needed 17
  • 18. The Way Forward • Building a secviz discipline • Bridging the gap Security Visualization • Learning the “other” discipline • More academia / industry collaboration SecViz 18
  • 19. My Focus Areas • Use-case oriented visualization • IT data management • Perimeter Threat • Governance Risk Compliance (GRC) • Insider Threat • IT data visualization • SecViz.Org • DAVIX 19
  • 21. A Shifted Crime Landscape • Crimes are moving up the stack • Insider crime Application Layer • Large-scale spread of many small attacks Transport Layer Questions are not known in advance! Network Layer • Are you prepared? Have the data when you need it! Link Layer • Are you monitoring enough? Physical Layer 21
  • 22. What Is IT Data? /var/log/messags multi-line files Logs /opt/log/* /etc/syslog.conf entire files Configurations /etc/hosts 1.3.6.1.2.1.25.3.3.1.2.2 multi-line structures Traps & Alerts iso. org. dod. internet. mgmt. mib-2. host. hrDevice. hrProcessorTable. hrProcessorEntry. hrProcessorLoad ps multi-line table format Scripts & Code netstat File system changes hooks into the OS Change Events Windows Registry The IT Search Company
  • 23. Perimeter Threat Applied Security Visualization, Chapter 6
  • 24. Sparklines • "Data-intense, design-simple, word-sized graphics". Edward Tufte (2006). Beautiful Evidence. Graphics Press. Average } Standard Deviation • Examples: • Java Script Implementation: - stock price over a day http://omnipotent.net/jquery.sparkline/ - access to port 80 over the last week 24
  • 25. Port Sparklines Source IP Destination IP 25
  • 26. Insider Threat Applied Security Visualization, Chapter 8
  • 27. Three Types of Insider Threats Information Fraud Leak Sabotage 27
  • 28. Example - Insider Threat Visualization • More and other data sources than for • The questions are not known in advance! the traditional security use-cases • Visualization provokes questions and • Insiders often have legitimate access helps find answers to machines and data. You need to log • Dynamic nature of fraud more than the exceptions • Problem for static algorithms • Insider crimes are often executed on • Bandits quickly adapt to fixed threshold- the application layer. You need based detection systems transaction data and chatty • Looking for any unusual patterns application logs 28
  • 29. User Activity Color indicates failed logins High ratio of failed logins 29
  • 30. 30
  • 32. SecViz - Security Visualization This is a place to share, discuss, challenge, and learn about security visualization.
  • 33. V D X Data Analysis and Visualization Linux davix.secviz.org
  • 34. Tools Capture Processing Visualization - Network tools - Shell tools - Network Traffic ‣ Argus ‣ awk, grep, sed ‣ EtherApe - Graphic preprocessing ‣ InetVis ‣ Snort ‣ tnv ‣ Wireshark ‣ Afterglow - Generic - Logging ‣ LGL ‣ Afterglow ‣ syslog-ng - Date enrichment ‣ Treemap - Fetching data ‣ geoiplookup ‣ Mondrian ‣ wget ‣ whois/gwhois ‣ R Project ‣ ftp ‣ scp * Non-concluding list of tools
  • 35. Thank You! raffy @ splunk . com