Making Security Data 'Visual'

2:53 PM -- Applying information visualization techniques to IT security is an area of research I hadn’t been aware of until I read Security Data Visualization by Greg Conti. I'd seen Conti present at Interz0ne a few years ago and knew a little about his Rumint project, but hadn’t given the topic a second thought. After reading his book, however, I've started thinking differently whenever I look at a large log from an IDS or firewall -- I’m now imagining how it could be graphed to best see what's really going on.

You're probably already using information visualization techniques on a daily basis and don't even realize it. For example, those of you using SIM/SEM/SIEM solutions utilize information visualization techniques to make the security data meaningful at a glance. That’s exactly the point of the "dashboards" that security products have been implementing for the last several years. Dashboards are visual tools that provide an overview of what's going on and what needs attention. They use graphs, charts, timelines, and colors.

What if you don't have one of the spiffy products that do the visualization for you? Don't worry, there are several free solutions available that can give you a taste of what you're missing. And, they may even help you show your boss what's out there so you can get the budget for a commercial solution that picks up where the free ones leave off.

Conti's book covers Rumint and AfterGlow, two free and open source tools. Rumint is specifically for network traffic, and AfterGlow can be used for network traffic, Web server logs, firewall logs, and more. glTail.rb is one of those tools that’s great if you like to keep one screen for just watching logs so you can catch abnormalities in your peripherals. I'm always amazed at how many security and mail administrators like to do this. It parses many different log files, and displays them in a such a way that may make your boss think you're gaming, not working.

Interestingly, the topic of visualization recently surfaced on the fuzzing mailing list: There was a discussion about whether visually looking at files would help the process of determining what parts of a file were best suited for fuzzing. By fuzzing certain parts of the file and then opening that file with its native application (like a .doc and Microsoft Word), it may be possible to find a vulnerability in how the application parses the file's content. (Wikipedia: "Fuzz testing or fuzzing is a software testing technique that provides random data ['fuzz'] to the inputs of a program.")

I've been responsible for monitoring logs from servers and intrusion detection systems for several years, and I take every opportunity to make the logs more meaningful and less boring. Take a look at the SecViz Website for more ideas on how to make your boring logs more interesting.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading