Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/18/2012
07:46 AM
50%
50%

Tech Insight: Getting The Picture With Data Visualization

Data visualization can be useful in log review, forensic analysis, and other security activities where large amounts of data must be vetted and analyzed

Security pros responsible for log analysis and digital forensic investigations today have so much data to analyze that it can be difficult to make heads or tails of it without the proper tools to parse, prioritize, and identify the valuable information.

Sometimes obscure log entries can be easily deciphered with a simple search on the Internet. But other times, there are too many results and it’s hard to wade through them to find the correct information. Many organizations have adopted security information and event management (SIEM) solutions to help with the correlation and prioritization of security data in order to turn it into actionable information. Once properly configured and tuned, SIEMs can certainly make a big difference. But often, the SIEM's greatest feature turns out to be the ability to take the data and visualize it in a way that the analysts can easily spot patterns or peaks in activity indicating a problem.

Data visualization, or the simplest terms, the visual representation of data, is nothing new. The last two decades have seen an increase in interest in it as researchers, security pros, and vendors have worked to visualize computer-related data in meaningful ways. In 2004, I saw the first data visualization presentation focused on security data visualization at a small hacker conference in Atlanta conference called Interz0ne. Greg Conti gave a fascinating talk that showed many different graphical representations of port scans and attacks that I'd analyzed on a regular basis using an intrusion detection system (IDS), packet sniffer, and network flow data. (PDF). The way the activity popped out was eye-opening.

A few years later in 2007, Greg published the excellent book, "Security Data Visualization: Graphical Techniques for Network Analysis," through No Starch Press. The book provided an intriguing walkthrough of different tools and methods for visualizing everything from network packets and binary files to IDS and firewall logs. Similarly, another excellent book, "Applied Security Visualization," followed a year later.

During this same time, security tool vendors were incorporating data visualization techniques—often to the benefit of the analysts using the system, but sometimes it was poorly designed and served as more of a misleading distraction. In too many cases were graphs and pie charts were added, but provided no meaningful information to the security pros using the system.

Most of the SIEM solutions I've reviewed, used, or seen in action during client engagements have actually put a lot of thought into their dashboard design and serve as the best example of successful data visualization efforts. They focus on taking large amounts of data, normalizing it, correlating it, and presenting the results in a dashboard with graphs and charts. SIEM offerings from companies like ArcSight, NitroSecurity, Splunk, and Tenable Network Security are just a few examples.

Data visualization techniques have been making their way into other areas besides network and log analysis. Digital forensics has seen an increase in interest in timelines and graphical representation of data in the last three years. The number of times timelines have been mentioned in Harlan Carvey's Windows Incident Response blog and the SANS Computer Forensics and Incident Response blog can attest to that fact.

Timeline research has especially benefited digital forensics as free and open source tools have been developed to meet the needs of security investigators. The tools tie together filesystem activity with logs from network devices, Windows Event Log, and services like IIS and Apache. The resulting timeline can be viewed in its native text format or loaded into software like Excel for sorting, filtering, and graphing. Investigators can use the timeline identify patterns and a suspect's activity across many sources of data.

A good example is the recent release of an Excel colored timeline template and a SANS forensic blog entry from Rob Lee, SANS Faculty Fellow. The blog provides links and instructions for using timeline tools to generate data that is then loaded into the Excel template. The different types of data represented in the timeline is color-coded to help investigators track activity like email and chat usage, the opening and modification of files, USB drive usage, and Windows account activity.

Commercial forensic and incident response tools are also seeing new visualization features being added. Just this week, AccessData announced the availability of the "FTK Add-On: AccessData Visualization" to its forensic product FTK (Forensic Toolkit), that according to its datasheet, adds graphs, pie charts, and treemaps for visualizing email and file activity and contents.

Data visualization can be an extremely useful tool during log review, forensic analysis, and other security activities where large amounts of data are involved. Relationships between people and placed are suddenly realized when using a tool like Maltego. Port scans and brute force attacks can easily be traced through the graphs in a SIEM.

It helps to understand when visualization works and when it doesn't, and that can be helped by using the available tools, researching available books and blog entries, and seeing what works best for your environment.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/21/2012 | 5:03:14 AM
re: Tech Insight: Getting The Picture With Data Visualization
SIEM
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/20/2012 | 6:44:11 AM
re: Tech Insight: Getting The Picture With Data Visualization
Data visualization, or the simplest terms, the visual representation of data, is nothing new. The last two decades have seen an increase in interest in it as researchers, security pros, and vendors have worked to visualize computer-related data in meaningful ways
RMARTY000
50%
50%
RMARTY000,
User Rank: Strategist
2/18/2012 | 8:26:14 PM
re: Tech Insight: Getting The Picture With Data Visualization
Have a look at http://secviz.org for more information and examples on how to visualize security data. Comment, ask questions, and get involved in the community!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...