Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/18/2012
07:46 AM
50%
50%

Tech Insight: Getting The Picture With Data Visualization

Data visualization can be useful in log review, forensic analysis, and other security activities where large amounts of data must be vetted and analyzed

Security pros responsible for log analysis and digital forensic investigations today have so much data to analyze that it can be difficult to make heads or tails of it without the proper tools to parse, prioritize, and identify the valuable information.

Sometimes obscure log entries can be easily deciphered with a simple search on the Internet. But other times, there are too many results and it’s hard to wade through them to find the correct information. Many organizations have adopted security information and event management (SIEM) solutions to help with the correlation and prioritization of security data in order to turn it into actionable information. Once properly configured and tuned, SIEMs can certainly make a big difference. But often, the SIEM's greatest feature turns out to be the ability to take the data and visualize it in a way that the analysts can easily spot patterns or peaks in activity indicating a problem.

Data visualization, or the simplest terms, the visual representation of data, is nothing new. The last two decades have seen an increase in interest in it as researchers, security pros, and vendors have worked to visualize computer-related data in meaningful ways. In 2004, I saw the first data visualization presentation focused on security data visualization at a small hacker conference in Atlanta conference called Interz0ne. Greg Conti gave a fascinating talk that showed many different graphical representations of port scans and attacks that I'd analyzed on a regular basis using an intrusion detection system (IDS), packet sniffer, and network flow data. (PDF). The way the activity popped out was eye-opening.

A few years later in 2007, Greg published the excellent book, "Security Data Visualization: Graphical Techniques for Network Analysis," through No Starch Press. The book provided an intriguing walkthrough of different tools and methods for visualizing everything from network packets and binary files to IDS and firewall logs. Similarly, another excellent book, "Applied Security Visualization," followed a year later.

During this same time, security tool vendors were incorporating data visualization techniques—often to the benefit of the analysts using the system, but sometimes it was poorly designed and served as more of a misleading distraction. In too many cases were graphs and pie charts were added, but provided no meaningful information to the security pros using the system.

Most of the SIEM solutions I've reviewed, used, or seen in action during client engagements have actually put a lot of thought into their dashboard design and serve as the best example of successful data visualization efforts. They focus on taking large amounts of data, normalizing it, correlating it, and presenting the results in a dashboard with graphs and charts. SIEM offerings from companies like ArcSight, NitroSecurity, Splunk, and Tenable Network Security are just a few examples.

Data visualization techniques have been making their way into other areas besides network and log analysis. Digital forensics has seen an increase in interest in timelines and graphical representation of data in the last three years. The number of times timelines have been mentioned in Harlan Carvey's Windows Incident Response blog and the SANS Computer Forensics and Incident Response blog can attest to that fact.

Timeline research has especially benefited digital forensics as free and open source tools have been developed to meet the needs of security investigators. The tools tie together filesystem activity with logs from network devices, Windows Event Log, and services like IIS and Apache. The resulting timeline can be viewed in its native text format or loaded into software like Excel for sorting, filtering, and graphing. Investigators can use the timeline identify patterns and a suspect's activity across many sources of data.

A good example is the recent release of an Excel colored timeline template and a SANS forensic blog entry from Rob Lee, SANS Faculty Fellow. The blog provides links and instructions for using timeline tools to generate data that is then loaded into the Excel template. The different types of data represented in the timeline is color-coded to help investigators track activity like email and chat usage, the opening and modification of files, USB drive usage, and Windows account activity.

Commercial forensic and incident response tools are also seeing new visualization features being added. Just this week, AccessData announced the availability of the "FTK Add-On: AccessData Visualization" to its forensic product FTK (Forensic Toolkit), that according to its datasheet, adds graphs, pie charts, and treemaps for visualizing email and file activity and contents.

Data visualization can be an extremely useful tool during log review, forensic analysis, and other security activities where large amounts of data are involved. Relationships between people and placed are suddenly realized when using a tool like Maltego. Port scans and brute force attacks can easily be traced through the graphs in a SIEM.

It helps to understand when visualization works and when it doesn't, and that can be helped by using the available tools, researching available books and blog entries, and seeing what works best for your environment.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/21/2012 | 5:03:14 AM
re: Tech Insight: Getting The Picture With Data Visualization
SIEM
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/20/2012 | 6:44:11 AM
re: Tech Insight: Getting The Picture With Data Visualization
Data visualization, or the simplest terms, the visual representation of data, is nothing new. The last two decades have seen an increase in interest in it as researchers, security pros, and vendors have worked to visualize computer-related data in meaningful ways
RMARTY000
50%
50%
RMARTY000,
User Rank: Apprentice
2/18/2012 | 8:26:14 PM
re: Tech Insight: Getting The Picture With Data Visualization
Have a look at http://secviz.org for more information and examples on how to visualize security data. Comment, ask questions, and get involved in the community!
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-7505
PUBLISHED: 2020-02-18
Stack-based buffer overflow in the gif_next_LZW function in libnsgif.c in Libnsgif 0.1.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LZW stream in a GIF file.
CVE-2015-7567
PUBLISHED: 2020-02-18
SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary SQL commands via the "passwordreset&token" parameter.
CVE-2012-0718
PUBLISHED: 2020-02-18
IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookies.
CVE-2019-10791
PUBLISHED: 2020-02-18
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
CVE-2009-5146
PUBLISHED: 2020-02-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.