Visualization for IT-Security
L. Aaron Kaplan
This talk will present visualization techniques for IT-security events and incidents.
Conficker demonstrated that sinkholing botnets and logging relevant IT-security events on a massive scale is a powerful weapon for mitigation and remediation. However, naturally these data collections quickly grow to sizes too large to understand or handle. Visualization can prove to be an invaluable tool for the IT security handler to gain insights into the dimensions of a problem as well as for management and even politicians.
Therefore this presentation will show – based on a concrete example – how we can extract understandable information out of a multitude of data sources. The concrete example will deal with DNS, DNScap and NFSen/NFDump visualizations. Since DNS is a hidden treasure box for IT Security and since DNS requests can hint to lots of problems (misconfiguration as well as abuse), visualizing DNS is in our opinion a promising fresh approach.
Finally, a list of practical tools will be presented, which participants can use in their own organizations and thus improve their own incident handling.
Talk from the recent FIRST.org conference in Miami, FL
“This talk is about making nice pictures….. any why we need that”
Last year CERT.AT did some work on tracking Conficker by sinkholing traffic heading to certain .AT domains and tracking them. The information was easy to gather, but the visualization effects presented was something people thought was amazing.
Google Spreadsheets now offers visualization tools to track and display information over time.
“A picture is worth 1000 log records” (R. Marty)
We have too much data, info explosion
Visualization can explain it all to your Grandpa/father/mother/partner…
- Management, Sales, Politicians
- Operational Staff
These users have different needs depending on what they need to do with the information
Visualization isn’t new however. Otto Neurath was doing it long before most of us where alive.
There’s not enough of this kind of visualization going on. Things need to improve.
- Maxmind GeoIP
- Gapminder (Google Gadget)
- Google Earth
- Import XML data to show placemarks
- Unix Filters
- (cut, sort, uniq -c, sort, gnuplot)
- DAVIX CD
Sometimes using a simple line graph shows nothing but a few large key spikes. Using other visualization techniques helps to show the full picture.
Do more visualization!
Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/57
CERT.AT –> http://cert.at
Otoo Neurath –> http://en.wikipedia.org/wiki/Otto_Neurath
ISOTYPE –> http://en.wikipedia.org/wiki/Isotype
processing.org –> http://processing.org
DAVIX –> http://www.secviz.org/node/89