security research2.0 - fit 2008
TRANSCRIPT
Security Research 20
Raffael Marty GCIA CISSPChief Security Strategist Splunkgt
FIT-IT Visual Computing Austria - September lsquo08
Agendabull Security Visualization Today- The SecViz Dichotomy
- The Failure
- The Way Forward
bull My Focus Areas
bull The Future
2
Agendabull Security Visualization Today- The SecViz Dichotomy
- The Failure
- The Way Forward
bull My Focus Areas
bull The Future
2
GoalProvoke thought and stir up
more questions than offering answers
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Raffael Marty
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Security Visualization Today
The 1st Dichotomy
5
The 1st Dichotomy
5
two domainsSecurity amp Visualization
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
Agendabull Security Visualization Today- The SecViz Dichotomy
- The Failure
- The Way Forward
bull My Focus Areas
bull The Future
2
Agendabull Security Visualization Today- The SecViz Dichotomy
- The Failure
- The Way Forward
bull My Focus Areas
bull The Future
2
GoalProvoke thought and stir up
more questions than offering answers
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Raffael Marty
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Security Visualization Today
The 1st Dichotomy
5
The 1st Dichotomy
5
two domainsSecurity amp Visualization
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
Agendabull Security Visualization Today- The SecViz Dichotomy
- The Failure
- The Way Forward
bull My Focus Areas
bull The Future
2
GoalProvoke thought and stir up
more questions than offering answers
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Raffael Marty
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Security Visualization Today
The 1st Dichotomy
5
The 1st Dichotomy
5
two domainsSecurity amp Visualization
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Raffael Marty
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Security Visualization Today
The 1st Dichotomy
5
The 1st Dichotomy
5
two domainsSecurity amp Visualization
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
bull Chief Security Strategist Splunkgt
bull Looked at logsIT data for over 10 years
- IBM Research
- Conference boards committees
bull Presenting around the world on SecViz
bull Passion for Visualization
- httpsecvizorg
- httpafterglowsourceforgenet
Raffael Marty
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Security Visualization Today
The 1st Dichotomy
5
The 1st Dichotomy
5
two domainsSecurity amp Visualization
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
Security Visualization Today
The 1st Dichotomy
5
The 1st Dichotomy
5
two domainsSecurity amp Visualization
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 1st Dichotomy
5
The 1st Dichotomy
5
two domainsSecurity amp Visualization
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 1st Dichotomy
5
two domainsSecurity amp Visualization
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 1st Dichotomy
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
Security Visualization
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 1st Dichotomy
bull security databull networking protocolsbull routing protocols (the Internet)bull security impactbull security policybull jargonbull use-casesbull are the end-users
5
bull types of databull perceptionbull opticsbull color theorybull depth cue theorybull interaction theory bull types of graphsbull human computer interaction
Security Visualization
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Failure - New Graphs
6
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Right Thing - Reuse Graphs
7
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Failure - The Wrong Graph
8
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Right Thing - Adequate Graphs
9
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Right Thing - Adequate Graphs
9
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Failure - The Wrong Integration
10
bull Using proprietary data formatbull Provide parsers for various data formats
bull does not scalebull is probably buggy incomplete
bull Use wrong data access paradigm bull complex configuration
eg needs an SSH connection
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
bull Keep It Simple Stupidbull Use CSV inputbull Use files as inputbull Offload to other tools
bull parsersbull data conversions
The Right Thing - KISS
11
Using node sizessizesource=1sizetarget=200maxNodeSize=02
usrsharemanman5launchdplist5ltxml version=10 encoding=UTF-8gtltDOCTYPE plist PUBLIC -Apple ComputerDTD PLIST 10EN httpwwwapplecomDTDsPropertyList-10dtdgtltplist version=10gtltdictgt ltkeygt_nameltkeygt ltdictgt ltkeygt_isColumnltkeygt ltstringgtYESltstringgt ltkeygt_isOutlineColumnltkeygt ltstringgtYESltstringgt ltkeygt_orderltkeygt ltstringgt0ltstringgt ltdictgt ltkeygtbsd_nameltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt62ltstringgt ltdictgt ltkeygtdetachable_driveltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt59ltstringgt ltdictgt ltkeygtdevice_manufacturerltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt41ltstringgt ltdictgt ltkeygtdevice_modelltkeygt ltdictgt ltkeygt_orderltkeygt ltstringgt42ltstringgt ltdictgt ltkeygtdevice_revisionltkeygt
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Failure - So What
12
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Right Thing - Help The User Along
13
bull Provide use-case aligned displaysbull Meaningful legendsbull Interactive explorationbull UI design that guides the user through tasksbull Do not overload displays
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Failure - Unnecessary Ink
14
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Right Thing - Apply Good Visualization Practices
15
bull Dont use graphics to decorate a few numbersbull Reduce data ink ratiobull Visualization principles
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
two worldsIndustry amp Academia
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impact
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solution
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think big
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real research
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scale
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industry
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-cases
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domain
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated data
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutions
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The 2nd Dichotomy
16
bull donrsquot understand the real impactbull get the 70 solutionbull donrsquot think bigbull no timemoney for real researchbull canrsquot scalebull work based off of a few
customerrsquos input
bull donrsquot know whatrsquos been done in industrybull donrsquot understand the use-casesbull donrsquot understand the environments
data domainbull work on simulated databull construct their own problems bull use overly complicated impractical
solutionsbull use graphs visualization where it is not
needed
Some comments are based on paper reviews from RAID 200708 VizSec 200708
Industry Academia
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Way Forward
17
bull Building a secviz disciplinebull Bridging the gapbull Learning the ldquootherrdquo discipline
Security Visualization
SecViz
bull More academia industry collaboration bull Build components widgets gadgetsbull (Re-)use existing technologiesbull Focus on strengthsbull Focus on the visualization and interaction aspects
Two disciplines
Two worlds
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
My Focus Areas
18
bull Use-case oriented visualizationbull Perimeter Threatbull Governance Risk Compliance (GRC)bull Insider Threat bull IT data visualizationbull SecVizOrgbull DAVIX
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
Insider Threat Visualizationbull Huge amounts of databull More and other data sources than for the traditional security use-cases- Insiders often have legitimate access to machines and data You need to log more than the
exceptions
- Insider crimes are often executed on the application layer
bull The questions are not known in advance - Visualization provokes questions and helps find answers
bull Dynamic nature of fraud- Problem for static algorithms
- Bandits quickly adapt to fixed threshold-based detection systems
bull Looking for any unusual patterns
19
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
20
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
20
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
SecViz - Security VisualizationThis is a place to share discuss challenge and learn about
security visualization
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
Data Analysis and Visualization Linuxdavixsecvizorg
D
V
X
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
bull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
The Futurebull Addressing the secviz dichotomy
bull Better industry - academia collaboration
bull More and better visualization tools
- Use-case driven product development
bull We need to solve the data semantics problem
- Common Event Expression
- Entity extraction
23
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org
Vielen Dank
S
E
C I
V
Z
raffael marty secviz org