Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/27/2017
11:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Data Visualization: Keeping an Eye on Security

Visualization can be one of the most powerful approaches a security team can use to make sense of vast quantities of data. So why does it end up as an afterthought?

Have you ever recognized someone but had trouble recalling their name? Or perhaps you've felt as if you had met someone before but couldn't place where?  It turns out that this phenomenon is something that is quite common. It has to do with the way our brains are wired, and the ways in which we process visual information and non-visual information differently.

While I'm not a scientist, I do know from experience that the human eye can often identify  visual patterns quite quickly. As an example of this, consider a bar graph with one marked outlier. If you look at the bar graph, you will likely identify this outlier fairly quickly. But what if I gave you all the empirical data in table form? It would likely take you far longer to identify the outlier, right?

There is a lesson in here for security, but not the one you might think. Visualization is often something on an organization's to-do list, and for good reason. Visualization is one of the most powerful approaches a security team can use to help make sense of vast quantities of data. But more often than not, organizations struggle to get the value out of visualization that they had hoped for. Instead of becoming one of the key tools for the security team, visualization often ends up as an afterthought relegated to a few monitors on the fringe of the Security Operations Center.

Image Source: agsandrew via ShutterStock
Image Source: agsandrew via ShutterStock

Why is this? To better understand what is going on here, we first need to take a step back and think about what we are trying to accomplish with visualization. In this context, visualization is essentially being used as an analytic. In other words, the human eye is being used as an analytical tool to better understand the data it is looking at, and to try and identify patterns or outliers in it. So what is causing the disconnect between the desired outcome and the reality of the matter?

As you might already know, analytics work best when focused on answering specific questions, or addressing specific use cases. For example, I'm sure you can appreciate the difference between trying to use analytics to find "something interesting" versus "privileged accounts that appear to be compromised." And therein lies the reason that most visualization efforts are so underwhelming. They are simply not aimed towards answering any particular question or addressing any particular use case. 

What do I mean by this? Think about how most organizations approach visualization. Generally, these organizations take a bunch of raw, unprocessed data and represent it in any of a number of different types of graphs (e.g., time series, scatter plots, bar graphs, etc.). There is no focus here at all! If I were to ask these organizations the simple question, what are you looking to find with this visualization, they would most likely have no answer. Not surprisingly, the results of these visualization attempts almost always disappoint.

What's missing from this approach to visualization are the right questions. Questions force us to pause and think about what we’re actually trying to accomplish. As an example, think about a case where we are interested in looking for callbacks to potential command and control sites that may not yet be online. When a system is infected with malicious code, it often calls back to a command and control infrastructure seeking further instructions. Sometimes, the command and control infrastructure is not yet online, or the attacker wants the malicious code to "sleep" for a period of time before activating it. If we look for this type of activity, we can sometimes identify malicious callback domains that may not yet be widely known (and thus will not match any known signature or intelligence source).

We will likely want to go to our DNS data for this example. Further, we need to filter the data to look for domain requests that return no answer over a period of time (say the last 24 hours).  Lastly, we'll want to aggregate, by domain name, a count of the number of requests matching this criteria. If we visualize the data that results from asking this question of the data, we will likely have a wildly different visualization experience entirely. 

Let's say we order by count descending and use a bar graph to visualize the data set. We may have some instances of a small number of requests for a given domain that return no answer.  These could be mistyped domain names, or perhaps some type of a misconfiguration. But if we have infected systems exhibiting this type of behavior, we will likely see a higher number of requests for one or more domain names that return no answer. Our human eye will be treated to something it can process quite easily and use to identify outliers very quickly. 

So you see, it's all in how you interrogate the data. Visualization can be a powerful tool, but you have to know how to use it properly. When looking to leverage visualization, it is helpful to first ask yourself the question "What am I looking for?" The answer to this question can guide you to interrogate the data using a variety of queries and pivots to get it into a state where the actual visualization can be successfully leveraged. 

Get the picture?

[Find out more about collecting, correlating & analyzing security data from leading threat intel experts during Interop ITX. For details on other Interop security tracks, or to register, click on the live links.]

Related Content:

 

 

 

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/30/2017 | 12:29:54 PM
Re: The Community
I'm also a huge advocate of visualization (OpenNMS is a favorite platform of mine).  In addition to secviz.org I also recommend a long-running I reference regularly and send folks to:

SLAC National Accelerator Laboratory Network Monitoring Tools:

www(dor)slac(dot)stanford(dot)edu/xorg/nmtf/nmtf-tools.html
RMARTY000
50%
50%
RMARTY000,
User Rank: Strategist
4/1/2017 | 9:24:57 PM
The Community
If you are interested in security visualization, I recommend having a look through the posts on secviz.org . There is a visualization gallery and a number of really insightful posts. Hope to see more conversations over there.
kcogswell605
50%
50%
kcogswell605,
User Rank: Apprentice
3/28/2017 | 11:51:35 AM
Agree!
Hi Josh,

 Just read your article, Data Visualization: Keeping an Eye on Security.  Good job!  As a data discovery and visual analytics software company, we here at ADVIZOR Solutions are all about helping people identify the 6 – 8 key questions they want to be able to answer from their data in order to drive the data that's needed, the visual displays that are most appropriate, and the metrics that matter.  What's really cool is that, once you've got all that, the visualizations help you "see the stories" and also drive you to questions you may not have thought to ask until you see the data visually.  Security visualization is a great application for our software and we are doing a lot of work in this area.  
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22893
PUBLISHED: 2021-04-23
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse...
CVE-2021-31408
PUBLISHED: 2021-04-23
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after t...
CVE-2021-31410
PUBLISHED: 2021-04-23
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
CVE-2021-31539
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
CVE-2021-31540
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.