visualization: transforming how we view security
DESCRIPTION
Visual analytics have been emerging in recent years to help transform cyber security data into relevant information so professionals can acquire greater insight on their security posture, respond faster, and prove compliance. Among the benefits of visualization are the ability to deal with vast amounts of security data, quickly discover patterns and anomalies, and effectively communicate issues to experts and non-experts alike. Learn how visualization is transforming the security field, what visualization tools are available today, and basic principles for successfully implementing security data visualization.TRANSCRIPT
![Page 1: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/1.jpg)
Visualization: TransformingHow We View Security
Anita D’Amico, [email protected]
Anita D’Amico, Ph.D.
Visualization: Transforming How We View Security
I5, April 28 2008
![Page 2: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/2.jpg)
• Secure Decisions is a division ofApplied Visions, Inc.
• We create visual aids to improvesituational awareness ofvulnerabilities and threats tocritical infrastructure
• We provide security visualizationproducts and custom solutions
• Result of over 10 years visualization R&D for militaryand civilian agencies, and commercial clients
Company Background
![Page 3: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/3.jpg)
• Value of visualization• The psychology behind making effective
visualizations• Current uses of visualization in security lifecycle• Issues affecting how you implement security
visualizations in your enterprise
Agenda
![Page 4: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/4.jpg)
• “Visual analytics” help security professionalsanalyze large volumes of complex security data
• Many security tools are adding some form ofvisualization, but …not all “pretty pictures” areuseful
• No single visualization is effective for all tasks andphases of the security lifecycle
• Good visualization systems are grounded inpsychological principles of situational awareness
• Good visualization systems go beyond graphics
In a Nutshell
![Page 5: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/5.jpg)
VALUE OF VISUALIZATION
![Page 6: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/6.jpg)
A Picture is Worth aThousand Log Files
Actionableinformation
Greaterinsight
Fasterresponsetimes
Communi-cate results
MeerCAT under development for DOD by Secure Decisions www.SecureDecisions.com
![Page 7: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/7.jpg)
Visualizations to analyze and understand largequantities of often ambiguous or conflicting data.
Major thrust of Department ofHomeland Security’sNational Visualization andAnalytics Center
Visual Analytics
Source: Ed Blanchfield www.visualcomplexity.com
![Page 8: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/8.jpg)
• Orient your attention to most critical information• Discover patterns, trends, and anomalies in
network data• Comprehend massive amount of data more
quickly than from text• See context (e.g. location, timing) of security
events• Makes the intangible cyber world easier to
understand and explain, especially to non-experts
Value of Visualization
![Page 9: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/9.jpg)
Visualization Lets Us“See” Cyberspace
Source: Ed Blanchfield www.visualcomplexity.com/vc/project_details.cfm?index=17&id=268&domain=Computer%20Systems
15 minutes of log data for a class Bfirewall – No background worm traffic
The same data with backgroundworm traffic
![Page 10: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/10.jpg)
VISUALIZATIONS BASED ONPSYCHOLOGY OF
SITUATIONAL AWARENESS
![Page 11: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/11.jpg)
3 Stages ofSituationalAwareness
Situation AssessmentResponse Management
Perception – What’s happening rightnow?
Projection –What will happenif I do or don’ttake action?
Comprehension – What isthe relevance of what I’mseeing?
![Page 12: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/12.jpg)
Visual Techniques to Enhance Perception• One data source at a time; e.g. only IPS alerts, or
CERT advisories, or network performance metrics• Simple 2D graphics like pie charts and line graphs• Distinctive color highlighting• Same screen set-up every time, e.g. dashboard• Simple maps and diagrams• Prioritized data
Perception
![Page 13: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/13.jpg)
Enhancing Perception
Dashboard ofCurrent Status
Color Highlightingto Direct Attention
Map for GeneralOrientation andSpatial Context
SimpleGraphics
CA eTrust Security Command Center www.ca.com/products/
Only HighPriority Alerts
![Page 14: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/14.jpg)
Visual Techniques to Enhance Comprehension•Multi-dimensional graphics•Visually correlate several types of data in one visualization•Multiple coordinated views•Emphasis on spatial and temporal context•Specific techniques
• Link analyses• Graphs of trends• Star trees• Parallel coordinates
Comprehension
![Page 15: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/15.jpg)
Star Tree depictsStar Tree depictsconnections betweenconnections between
nodes of interestnodes of interest
HistogramHistogramview ofview of
same datasame data
SimultaneousSimultaneousfiltering offiltering ofmultiplemultipleviews ofviews ofdatasetdataset
Table Lens providesTable Lens providesalternative visualalternative visual
perspectiveperspective
Coordinated ViewsEnhance Comprehension
VIAssist developed for DOD and commercial use by Secure Decisions – www.SecureDecisions.com
Data TableData Table
![Page 16: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/16.jpg)
StarTree ShowsConnection Patterns
Red dots indicatesDest IP in Morocco is
on Watch List.
StarTree from Inxight. www.inxight.com. Modified for inclusion in VIAssist – www.SecureDecisions.com
IP address of interestThicker lineindicates more
connections to US
![Page 17: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/17.jpg)
Multi-Dimensional Graphics:Correlation of Suspicious Activity with
Time and Location
Secure Decisions SecureScope™www.SecureScope.com orwww.SecureDecisions.com
Mail Server is a mission-critical asset; therefore isshown as a larger box.
![Page 18: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/18.jpg)
Visual Techniques to Enhance Projection• Predicted attack paths• Security data combined with organization charts• Replays of network traffic• Animation
Projection
![Page 19: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/19.jpg)
Wall depicts required sequenceWall depicts required sequenceof mission-critical tasksof mission-critical tasks
Assets orAssets orResources NeededResources Neededfor Each Taskfor Each Task
Lines point to specific assetsLines point to specific assetsneeded to support each task.needed to support each task.
Assets are color-coded byAssets are color-coded bydegree of current availabilitydegree of current availability
Secure Decisions SecureScope – www.SecureDecisions.com
Mission-CriticalMission-CriticalTasksTasks
Predict Impact of an Attackon a Mission
![Page 20: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/20.jpg)
VISUALIZATIONS FOR EACHPHASE OF SECURITY
LIFECYCLE
![Page 21: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/21.jpg)
Security Lifecycle
Monitor Assess
Remediate
SecurityPolicies and
Report
![Page 22: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/22.jpg)
Visualizations for SituationalAwareness & SecurityLifecycle
SecurityLifecyclePhases
PerceptionPerception ComprehensiComprehensionon
MONITOR
ProjectionProjection
REPORT
REMEDIATE
ASSESS
Situational Awareness StagesSituational Awareness Stages
![Page 23: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/23.jpg)
Monitoring
Assess
Remediate
SecurityPolicies
and Report
MonitorIdentify policyviolations
Monitor alerts from IntrusionPrevention System
Identify vulnerabilities
Identify anomalousnetwork performance
![Page 24: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/24.jpg)
Visualization forMonitoring
Guidelines for How the Viz Should Look• Standardized, simple views for rapid scanning and
comparing• Visualize primary sensor data (e.g. IPS alerts)• Simple 2D graphics, e.g. of security metrics• Big graphics that can be seen on a “Big Board”• Use color, blinking, and motion in uniform,
pre-set conditions• Distinguish old data from new
![Page 25: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/25.jpg)
Event Dashboard
eIQ Enterprise Security Analyzer product of eIQnetworks™ – www.eiqnetworks.com
2DGraphics
Prioritized,Color-coded
Alerts
SimpleMetrics
![Page 26: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/26.jpg)
Time
Device
Source IP
DestinationIP
Alert
Protocol
Prioritized Alerts
eIQ Enterprise Security Analyzer product of eIQnetworks™ – www.eiqnetworks.com
![Page 27: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/27.jpg)
“Big Board” of Trouble Spots
MITRE IWViz developed for USAF www.mitre.org/work/tech_transfer/technologies/iwviz.html or www.SecureDecisions.com
![Page 28: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/28.jpg)
Visualization forMonitoring
Guidelines for How the Visualization SystemShould Operate•Standard, regular queries to data repository
– e.g. poll data base for top 100 alerts every 15 minutes• Standard visual filters for shared display
– only show activity on pre-specified critical assets•Drill down for other data•Automatically update data being visualized atregular intervals
![Page 29: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/29.jpg)
Assessment
Monitor
Remediate
SecurityPolicies
and Report
Assess Explore data for patterns
Analyze for suspicious activity
Analyze risks
Audit for compliance
![Page 30: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/30.jpg)
Visualization forAssessment
Guidelines for How the Viz Should Look• Keep primary data of interest in foreground• Add secondary data (e.g. whois, CERT advisories,
location) to help interpretation of primary data• Multi-dimensional displays, often with temporal and
spatial context• Multiple coordinated views of data• Color, blinking, and motion under user control
![Page 31: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/31.jpg)
Assess Vulnerability fromRogue Access Points
Building floor layout
Topology ofConnections
Heatmap of SignalStrength
VulnerableGroups
AirWave’s RAPIDS http://www.airwave.com/products/rapids/
![Page 32: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/32.jpg)
Risk Analysis
RedSeal™ Security Risk Manager www.redseal.net
![Page 33: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/33.jpg)
Visualization forAssessment
Guidelines for the Visualization System• Ad hoc data exploration tools• Keep track of path taken through data (e.g. give
cues to what has been filtered)• Specially-crafted queries to data repository• Customizable visual filters for shared display• Drill down for other data• Aggregate data at higher level of abstraction• Do not automatically update data under analysis• Retain historic data for access by visualization
![Page 34: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/34.jpg)
Remediation
Analyze impact ofremediation
Monitor
Remediate
SecurityPolicies
and Report
Assess Modify access controls
Enforce policies
Educate
Respond to incidents
![Page 35: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/35.jpg)
Visualization forRemediation
Guidelines for How the Viz Should Look• Link diagrams to show causality and
dependencies• Line graphs of network activity over time
– Annotated to show need for and effects of remediation• Simple graphics, e.g. frequency charts, showing
changes in security metrics– Shows need for and effects of remediation
• Uncluttered• Retain information when rendered in grey scale
![Page 36: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/36.jpg)
Effect of Changed Asseton Other Systems
CA CMDB Change Impact Analysis – www.ca.com/us/cmdb.aspx
This changed assetis required by
Email Support
is b
usin
ess
owne
r of STL_LDAP Security
![Page 37: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/37.jpg)
Visually-Mediated Toolfor Controlling Access
Meru Networks E(z)RF www.merunetworks.com/
![Page 38: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/38.jpg)
Visualization forRemediation
Guidelines for the Visualization System• Role-based security access, to protect
remediation activities from general viewing• Viz system should be able to access historical
data for before and after views• Rapidly copy visualizations for insertion in
reports• Email visualizations• Print directly from visualization system
![Page 39: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/39.jpg)
Report tomanagement
Report oncompliance
Reporting
Monitor
Remediate
SecurityPolicies
and Report
Assess
Collaboratewith experts
![Page 40: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/40.jpg)
Visualization forReporting
Guidelines for How the Viz Should Look• Graphics and icons understandable without
explanation, e.g. line graphs, frequency charts• Annotations• Uncluttered• Layers of information that build on top of each
other, like transparencies being added• Retain information when rendered in grey scale
![Page 41: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/41.jpg)
Management Report
OSSIM - Open Source Security Information Management - www.ossim.net
![Page 42: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/42.jpg)
Compliance Reporting
IBM Tivoli Compliance Insight Manager www-306.ibm.com/software/tivoli/products/security-compliance-mgr/
![Page 43: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/43.jpg)
Visualization for Reporting
Guidelines for the Visualization System• Standard PowerPoint templates that can be
automatically filled in from the viz system• Annotate and save annotations in visualizations• Direct access to historical data• Rapidly copy visualizations for insertion in reports• Email visualizations• Print directly from visualization system
![Page 44: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/44.jpg)
HOW TO GET SECURITYVISUALIZATION
IMPLEMENTED IN YOURENTERPRISE
![Page 45: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/45.jpg)
How to Get SecurityVisualizations
Four ways to get security visualizations• Individual security tools with integral visualizations• Security Information & Network Management
systems with integrated visualizations• General-purpose visualization tools, to customize
for security purposes• Dedicated security visualization systems
![Page 46: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/46.jpg)
How to Get SecurityVisualizations
Benefits• Configured for easy
interpretation of specific securitydata
• Some inexpensive (open source)Drawbacks• No cross-sensor correlation• Exploratory
Single Data Source:Firewall, audit logs,IPS alerts, pcap files
Sample Products:AfterglowAirWavesRUMINTTNV
Individual security tools with integratedvisualizations
![Page 47: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/47.jpg)
TreeMap AnalyzingFirewall Logs
TreeMap by AfterGlow – sourceforge.net/projects/afterglow or www.secviz.org/?q=node/16
![Page 48: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/48.jpg)
TreeMap for AssessingFirewall Logs: Notional View
Each big box represents a Source IP connecting into the enterprise
Source IP 195.141.69.45 Source IP 195.143.56.25
Each big box is subdivided by the Target Ports used to connect to enterprise.
Port 20 Port 25 Port 20 Port 25 Port 53The size of theTarget boxrepresents thenumber ofconnectionsachieved.
Each Port box is subdivided into Target IPs reached by the Source IP
![Page 49: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/49.jpg)
RUMINT Visual Analytics forPacket Data
RUMINT developed by Greg Conti www.rumint.org/
![Page 50: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/50.jpg)
How to Get SecurityVisualizations
Benefits• Multi-source: firewalls, IDS,
applications, etc.• Multi-perspective: Gain new insight• Interactive: visualize event, drill
down, filter• Easy to Use: preloaded security
visualizationDrawbacks• Expensive: require SIM
Security Information & Network Managementsystems with integrated visualizations
Sample SIM andNMS Products:ArcSightCAeIQnetworksIBMNeuralStarIntellitacticsOSSIM
![Page 51: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/51.jpg)
Visualizations WithinArcSight SIM
ArcSight Interactive Discovery and ArcSight ESM – www.arcsight.com
![Page 52: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/52.jpg)
Visualizations WithinNeuralStar NMS
NeuralStar by Ai Metrix www.aimetrix.com/about_aimetrix.php
![Page 53: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/53.jpg)
How to Get SecurityVisualizations
Benefits• Truly customized for your own needsDrawbacks• No security knowledge built in• Requires skilled software development
staff• Requires >4 months of development
time and cost of a highly skilled
General-purpose visualization tools that can becustomized
SampleProducts:
QlikView
Advizor
Inxight
Tom Sawyer
yWorks
![Page 54: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/54.jpg)
QlikView GeneralPurpose Visual Tools
![Page 55: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/55.jpg)
Advizor GeneralPurpose Visual Tools
![Page 56: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/56.jpg)
How to Get SecurityVisualizations
Benefits• Configured to visualize larger quantities
of security data• Can interface to multiple sources, e.g.
firewalls, IPSs, SIMS• Designed for many different security
users from real-time analysts to securitymanagers in the same organization
Drawbacks• Some are expensive (>$4K)• Learning curve (1-2 days)
Dedicated security visualization systems
SampleProducts:
SecureScope
VIAssist
MeerCAT
VisAlert
TriGeo
![Page 57: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/57.jpg)
TriGeo Insight™Incorporates QlikView
http://www.trigeo.com/products/insight/
![Page 58: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/58.jpg)
Actual multi-vendor integratedvisual dashboard
Combines:
InXight Star Treeand Table Lens
Advizor Charts
Secure DecisionsVisual AnalyticFramework(VIAssist),Filters & Legends
VIAssist Visualization System
VIAssist www.SecureDecisions.com
![Page 59: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/59.jpg)
Issues in SelectingVisualization Solutions
• Motivational Issues• Goals – Why do you want visualizations?• What questions do you want to ask of the data?
• Data Issues• Data Sources• Data Volume• Data Access
• Resource Issues• Supporting technology infrastructure• Staffing and technology expertise• Budget
![Page 60: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/60.jpg)
Motivating Issues• Goals – Why do you want visualizations?
• Quick monitoring?• Detailed analysis?• Substantiation for compliance?• Sharing with other security professionals?• Reporting to non-experts?
• What questions do you want to ask of the data?• Am I under attack?• When did it start?• What’s the organizational impact?• Who is it, and where are they?• What technique are they using?
![Page 61: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/61.jpg)
Data Issues• Data Sources
• One or many?• Pre-processed? e.g. alerts• Raw? e.g. packet data• Recent or historical?• Need to periodically bring in other sources? (e.g. CERT
or ISAC advisories, maps)• Data Volume
• How many GB or TB a day do you get?• Of that, what do you want to look at?
• Data Access• Central repository or does visualization need to interface
to several other systems for data?
![Page 62: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/62.jpg)
Resource Issues
• Supporting technology infrastructure• Preferred operating system• Central or distributed monitoring• Fat client or web portal usage• Collaborative or single user
• Staffing and technology expertise• General network administrator or skilled security
analyst capable of detailed forensic analysis of data• Degree of software development expertise
• Budget
![Page 63: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/63.jpg)
WRAP-UP
![Page 64: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/64.jpg)
• “Visual analytics” help security professionalsanalyze large volumes of complex security data
• Many security tools are adding some form ofvisualization, but …not all “pretty pictures” areuseful
• No single visualization is effective for all tasks andphases of the security lifecycle
• Good visualization systems are grounded inpsychological principles of situational awareness
• Good visualization systems go beyond graphics
In a Nutshell
![Page 65: Visualization: Transforming How We View Security](https://reader034.vdocuments.us/reader034/viewer/2022042522/559ec00d1a28ab31038b45d8/html5/thumbnails/65.jpg)
What’s Your Perspective?