Visualization: TransformingHow We View Security

Anita D’Amico, Ph.D.AnitaD@SecureDecisions.avi.com

Anita D’Amico, Ph.D.

Visualization: Transforming How We View Security

I5, April 28 2008

• Secure Decisions is a division ofApplied Visions, Inc.

• We create visual aids to improvesituational awareness ofvulnerabilities and threats tocritical infrastructure

• We provide security visualizationproducts and custom solutions

• Result of over 10 years visualization R&D for militaryand civilian agencies, and commercial clients

Company Background

• Value of visualization• The psychology behind making effective

visualizations• Current uses of visualization in security lifecycle• Issues affecting how you implement security

visualizations in your enterprise

Agenda

• “Visual analytics” help security professionalsanalyze large volumes of complex security data

• Many security tools are adding some form ofvisualization, but …not all “pretty pictures” areuseful

• No single visualization is effective for all tasks andphases of the security lifecycle

• Good visualization systems are grounded inpsychological principles of situational awareness

• Good visualization systems go beyond graphics

In a Nutshell

VALUE OF VISUALIZATION

A Picture is Worth aThousand Log Files

Actionableinformation

Greaterinsight

Fasterresponsetimes

Communi-cate results

MeerCAT under development for DOD by Secure Decisions www.SecureDecisions.com

Visualizations to analyze and understand largequantities of often ambiguous or conflicting data.

Major thrust of Department ofHomeland Security’sNational Visualization andAnalytics Center

Visual Analytics

Source: Ed Blanchfield www.visualcomplexity.com

• Orient your attention to most critical information• Discover patterns, trends, and anomalies in

network data• Comprehend massive amount of data more

quickly than from text• See context (e.g. location, timing) of security

events• Makes the intangible cyber world easier to

understand and explain, especially to non-experts

Value of Visualization

Visualization Lets Us“See” Cyberspace

Source: Ed Blanchfield www.visualcomplexity.com/vc/project_details.cfm?index=17&id=268&domain=Computer%20Systems

15 minutes of log data for a class Bfirewall – No background worm traffic

The same data with backgroundworm traffic

VISUALIZATIONS BASED ONPSYCHOLOGY OF

SITUATIONAL AWARENESS

3 Stages ofSituationalAwareness

Situation AssessmentResponse Management

Perception – What’s happening rightnow?

Projection –What will happenif I do or don’ttake action?

Comprehension – What isthe relevance of what I’mseeing?

Visual Techniques to Enhance Perception• One data source at a time; e.g. only IPS alerts, or

CERT advisories, or network performance metrics• Simple 2D graphics like pie charts and line graphs• Distinctive color highlighting• Same screen set-up every time, e.g. dashboard• Simple maps and diagrams• Prioritized data

Perception

Enhancing Perception

Dashboard ofCurrent Status

Color Highlightingto Direct Attention

Map for GeneralOrientation andSpatial Context

SimpleGraphics

CA eTrust Security Command Center www.ca.com/products/

Only HighPriority Alerts

Visual Techniques to Enhance Comprehension•Multi-dimensional graphics•Visually correlate several types of data in one visualization•Multiple coordinated views•Emphasis on spatial and temporal context•Specific techniques

• Link analyses• Graphs of trends• Star trees• Parallel coordinates

Comprehension

Star Tree depictsStar Tree depictsconnections betweenconnections between

nodes of interestnodes of interest

HistogramHistogramview ofview of

same datasame data

SimultaneousSimultaneousfiltering offiltering ofmultiplemultipleviews ofviews ofdatasetdataset

Table Lens providesTable Lens providesalternative visualalternative visual

perspectiveperspective

Coordinated ViewsEnhance Comprehension

VIAssist developed for DOD and commercial use by Secure Decisions – www.SecureDecisions.com

Data TableData Table

StarTree ShowsConnection Patterns

Red dots indicatesDest IP in Morocco is

on Watch List.

StarTree from Inxight. www.inxight.com. Modified for inclusion in VIAssist – www.SecureDecisions.com

IP address of interestThicker lineindicates more

connections to US

Multi-Dimensional Graphics:Correlation of Suspicious Activity with

Time and Location

Mail

Secure Decisions SecureScope™www.SecureScope.com orwww.SecureDecisions.com

Mail Server is a mission-critical asset; therefore isshown as a larger box.

Visual Techniques to Enhance Projection• Predicted attack paths• Security data combined with organization charts• Replays of network traffic• Animation

Projection

Wall depicts required sequenceWall depicts required sequenceof mission-critical tasksof mission-critical tasks

Assets orAssets orResources NeededResources Neededfor Each Taskfor Each Task

Lines point to specific assetsLines point to specific assetsneeded to support each task.needed to support each task.

Assets are color-coded byAssets are color-coded bydegree of current availabilitydegree of current availability

Secure Decisions SecureScope – www.SecureDecisions.com

Mission-CriticalMission-CriticalTasksTasks

Predict Impact of an Attackon a Mission

VISUALIZATIONS FOR EACHPHASE OF SECURITY

LIFECYCLE

Security Lifecycle

Monitor Assess

Remediate

SecurityPolicies and

Report

Visualizations for SituationalAwareness & SecurityLifecycle

SecurityLifecyclePhases

PerceptionPerception ComprehensiComprehensionon

MONITOR

ProjectionProjection

REPORT

REMEDIATE

ASSESS

Situational Awareness StagesSituational Awareness Stages

Monitoring

Assess

Remediate

SecurityPolicies

and Report

MonitorIdentify policyviolations

Monitor alerts from IntrusionPrevention System

Identify vulnerabilities

Identify anomalousnetwork performance

Visualization forMonitoring

Guidelines for How the Viz Should Look• Standardized, simple views for rapid scanning and

comparing• Visualize primary sensor data (e.g. IPS alerts)• Simple 2D graphics, e.g. of security metrics• Big graphics that can be seen on a “Big Board”• Use color, blinking, and motion in uniform,

pre-set conditions• Distinguish old data from new

Event Dashboard

eIQ Enterprise Security Analyzer product of eIQnetworks™ – www.eiqnetworks.com

2DGraphics

Prioritized,Color-coded

Alerts

SimpleMetrics

Time

Device

Source IP

DestinationIP

Alert

Protocol

Prioritized Alerts

eIQ Enterprise Security Analyzer product of eIQnetworks™ – www.eiqnetworks.com

“Big Board” of Trouble Spots

MITRE IWViz developed for USAF www.mitre.org/work/tech_transfer/technologies/iwviz.html or www.SecureDecisions.com

Visualization forMonitoring

Guidelines for How the Visualization SystemShould Operate•Standard, regular queries to data repository

– e.g. poll data base for top 100 alerts every 15 minutes• Standard visual filters for shared display

– only show activity on pre-specified critical assets•Drill down for other data•Automatically update data being visualized atregular intervals

Assessment

Monitor

Remediate

SecurityPolicies

and Report

Assess Explore data for patterns

Analyze for suspicious activity

Analyze risks

Audit for compliance

Visualization forAssessment

Guidelines for How the Viz Should Look• Keep primary data of interest in foreground• Add secondary data (e.g. whois, CERT advisories,

location) to help interpretation of primary data• Multi-dimensional displays, often with temporal and

spatial context• Multiple coordinated views of data• Color, blinking, and motion under user control

Assess Vulnerability fromRogue Access Points

Building floor layout

Topology ofConnections

Heatmap of SignalStrength

VulnerableGroups

AirWave’s RAPIDS http://www.airwave.com/products/rapids/

Risk Analysis

RedSeal™ Security Risk Manager www.redseal.net

Visualization forAssessment

Guidelines for the Visualization System• Ad hoc data exploration tools• Keep track of path taken through data (e.g. give

cues to what has been filtered)• Specially-crafted queries to data repository• Customizable visual filters for shared display• Drill down for other data• Aggregate data at higher level of abstraction• Do not automatically update data under analysis• Retain historic data for access by visualization

Remediation

Analyze impact ofremediation

Monitor

Remediate

SecurityPolicies

and Report

Assess Modify access controls

Enforce policies

Educate

Respond to incidents

Visualization forRemediation

Guidelines for How the Viz Should Look• Link diagrams to show causality and

dependencies• Line graphs of network activity over time

– Annotated to show need for and effects of remediation• Simple graphics, e.g. frequency charts, showing

changes in security metrics– Shows need for and effects of remediation

• Uncluttered• Retain information when rendered in grey scale

Effect of Changed Asseton Other Systems

CA CMDB Change Impact Analysis – www.ca.com/us/cmdb.aspx

This changed assetis required by

Email Support

is b

usin

ess

owne

r of STL_LDAP Security

Visually-Mediated Toolfor Controlling Access

Meru Networks E(z)RF www.merunetworks.com/

Visualization forRemediation

Guidelines for the Visualization System• Role-based security access, to protect

remediation activities from general viewing• Viz system should be able to access historical

data for before and after views• Rapidly copy visualizations for insertion in

reports• Email visualizations• Print directly from visualization system

Report tomanagement

Report oncompliance

Reporting

Monitor

Remediate

SecurityPolicies

and Report

Assess

Collaboratewith experts

Visualization forReporting

Guidelines for How the Viz Should Look• Graphics and icons understandable without

explanation, e.g. line graphs, frequency charts• Annotations• Uncluttered• Layers of information that build on top of each

other, like transparencies being added• Retain information when rendered in grey scale

Management Report

OSSIM - Open Source Security Information Management - www.ossim.net

Compliance Reporting

IBM Tivoli Compliance Insight Manager www-306.ibm.com/software/tivoli/products/security-compliance-mgr/

Visualization for Reporting

Guidelines for the Visualization System• Standard PowerPoint templates that can be

automatically filled in from the viz system• Annotate and save annotations in visualizations• Direct access to historical data• Rapidly copy visualizations for insertion in reports• Email visualizations• Print directly from visualization system

HOW TO GET SECURITYVISUALIZATION

IMPLEMENTED IN YOURENTERPRISE

How to Get SecurityVisualizations

Four ways to get security visualizations• Individual security tools with integral visualizations• Security Information & Network Management

systems with integrated visualizations• General-purpose visualization tools, to customize

for security purposes• Dedicated security visualization systems

How to Get SecurityVisualizations

Benefits• Configured for easy

interpretation of specific securitydata

• Some inexpensive (open source)Drawbacks• No cross-sensor correlation• Exploratory

Single Data Source:Firewall, audit logs,IPS alerts, pcap files

Sample Products:AfterglowAirWavesRUMINTTNV

Individual security tools with integratedvisualizations

TreeMap AnalyzingFirewall Logs

TreeMap by AfterGlow – sourceforge.net/projects/afterglow or www.secviz.org/?q=node/16

TreeMap for AssessingFirewall Logs: Notional View

Each big box represents a Source IP connecting into the enterprise

Source IP 195.141.69.45 Source IP 195.143.56.25

Each big box is subdivided by the Target Ports used to connect to enterprise.

Port 20 Port 25 Port 20 Port 25 Port 53The size of theTarget boxrepresents thenumber ofconnectionsachieved.

Each Port box is subdivided into Target IPs reached by the Source IP

RUMINT Visual Analytics forPacket Data

RUMINT developed by Greg Conti www.rumint.org/

How to Get SecurityVisualizations

Benefits• Multi-source: firewalls, IDS,

applications, etc.• Multi-perspective: Gain new insight• Interactive: visualize event, drill

down, filter• Easy to Use: preloaded security

visualizationDrawbacks• Expensive: require SIM

Security Information & Network Managementsystems with integrated visualizations

Sample SIM andNMS Products:ArcSightCAeIQnetworksIBMNeuralStarIntellitacticsOSSIM

Visualizations WithinArcSight SIM

ArcSight Interactive Discovery and ArcSight ESM – www.arcsight.com

Visualizations WithinNeuralStar NMS

NeuralStar by Ai Metrix www.aimetrix.com/about_aimetrix.php

How to Get SecurityVisualizations

Benefits• Truly customized for your own needsDrawbacks• No security knowledge built in• Requires skilled software development

staff• Requires >4 months of development

time and cost of a highly skilled

General-purpose visualization tools that can becustomized

SampleProducts:

QlikView

Advizor

Inxight

Tom Sawyer

yWorks

QlikView GeneralPurpose Visual Tools

Advizor GeneralPurpose Visual Tools

How to Get SecurityVisualizations

Benefits• Configured to visualize larger quantities

of security data• Can interface to multiple sources, e.g.

firewalls, IPSs, SIMS• Designed for many different security

users from real-time analysts to securitymanagers in the same organization

Drawbacks• Some are expensive (>$4K)• Learning curve (1-2 days)

Dedicated security visualization systems

SampleProducts:

SecureScope

VIAssist

MeerCAT

VisAlert

TriGeo

TriGeo Insight™Incorporates QlikView

http://www.trigeo.com/products/insight/

Actual multi-vendor integratedvisual dashboard

Combines:

InXight Star Treeand Table Lens

Advizor Charts

Secure DecisionsVisual AnalyticFramework(VIAssist),Filters & Legends

VIAssist Visualization System

VIAssist www.SecureDecisions.com

Issues in SelectingVisualization Solutions

• Motivational Issues• Goals – Why do you want visualizations?• What questions do you want to ask of the data?

• Data Issues• Data Sources• Data Volume• Data Access

• Resource Issues• Supporting technology infrastructure• Staffing and technology expertise• Budget

Motivating Issues• Goals – Why do you want visualizations?

• Quick monitoring?• Detailed analysis?• Substantiation for compliance?• Sharing with other security professionals?• Reporting to non-experts?

• What questions do you want to ask of the data?• Am I under attack?• When did it start?• What’s the organizational impact?• Who is it, and where are they?• What technique are they using?

Data Issues• Data Sources

• One or many?• Pre-processed? e.g. alerts• Raw? e.g. packet data• Recent or historical?• Need to periodically bring in other sources? (e.g. CERT

or ISAC advisories, maps)• Data Volume

• How many GB or TB a day do you get?• Of that, what do you want to look at?

• Data Access• Central repository or does visualization need to interface

to several other systems for data?

Resource Issues

• Supporting technology infrastructure• Preferred operating system• Central or distributed monitoring• Fat client or web portal usage• Collaborative or single user

• Staffing and technology expertise• General network administrator or skilled security

analyst capable of detailed forensic analysis of data• Degree of software development expertise

• Budget

WRAP-UP

• “Visual analytics” help security professionalsanalyze large volumes of complex security data

• Many security tools are adding some form ofvisualization, but …not all “pretty pictures” areuseful

• No single visualization is effective for all tasks andphases of the security lifecycle

• Good visualization systems are grounded inpsychological principles of situational awareness

• Good visualization systems go beyond graphics

In a Nutshell

What’s Your Perspective?

Anita D’AmicoAnitaD@SecureDecisions.com

631-754-4920 ext. 147