尊敬的 微信汇率:1円 ≈ 0.046166 元 支付宝汇率:1円 ≈ 0.046257元 [退出登录]
SlideShare a Scribd company logo

The Heatmap
 - Why is Security Visualization so Hard?

Raffael Marty
Raffael Marty

This presentation explores why it is so hard to come up with a security monitoring (or shall we call it security intelligence) approach that helps find sophisticated attackers in all the data collected. It explores the question of how to visualize a billion events. To do so, the presentation dives deeply into heatmaps - matrices - as an example of a simple type of visualization. While these heatmaps are very simple, they are incredibly versatile and help us think about the problem of security visualization. They help illustrate how data mining and user experience design help get a handle of the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.

Internet
1 of 58
Download to read offline
Raffael Marty, CEO The Heatmap
 Why is Security Visualization so Hard? Area41 Zurich, Switzerland June 2, 2014
Security. Analytics. Insight.2 Heatmaps
Security. Analytics. Insight.3 I am Raffy - I do Viz! IBM Research
Security. Analytics. Insight.4 Attacks have changed: • Targeted • Objectives beyond monetization • Low and Slow • Multiple access vectors • Remotely controlled The (New) Threat Landscape APT 1 Unit 61398 (61398部 ) Motivations have changed: • Nation state sponsored • Political, economic, and military advantage • Monetization / Crimeware • Religion • Hacktivism Security approaches failed due to: • Reliance on past knowledge / signatures • Systems are too rigid (e.g, schema) • Poor scalability • Limited knowledge exchange
Security. Analytics. Insight.5 How Compromises Are Detected Mandiant M Trends Report 2014 Threat Report Attackers innetworks before detection 27 days 229 days Average time toresolveacyberattack Successfulattackspercompany perweek 1.4 Average cost percompany peryear $7.2M
Security. Analytics. Insight.6 Our Security Goals ! ! Find Intruders and ‘New Attacks’ ! ! Discover Exposure Early ! ! Communicate Findings
Security. Analytics. Insight.7 Visualize Me Lots (>1TB) of Data ! ! SecViz is Hard!
Security. Analytics. Insight.8 Visualize 1TB of Data - What Graph? drop reject NONE ctl accept DNS Update Failed Log In IP Fragments Max Flows Initiated Packet Flood UDP Flood Aggressive Aging Bootp Renew Log Out Release NACK Conflict DNS Update Successful DNS record not deleted DNS Update Request Port Flood 1 10000 100000000 How much information does each of the graphs convey?
Security. Analytics. Insight.9 The Heatmap Matrix A, where aij are integer values mapped to a color scale. aij = 1 10 20 30 40 50 60 70 80 >90 42 rows columns
Security. Analytics. Insight.10 Mapping Data to a Heatmap values = how often was <row_item> seen time rows = source ip columns = time
Security. Analytics. Insight.11 Mapping Log Records to Heatmaps May 5 23:57:50 pixl-ram sudo: pam_unix(sudo:session):
 session opened for user root by ram(uid=0) root ram peg sue } ∆t .. time bin
Security. Analytics. Insight.11 Mapping Log Records to Heatmaps May 5 23:57:50 pixl-ram sudo: pam_unix(sudo:session):
 session opened for user root by ram(uid=0) root ram peg sue } ∆t .. time bin
Security. Analytics. Insight.11 Mapping Log Records to Heatmaps May 5 23:57:50 pixl-ram sudo: pam_unix(sudo:session):
 session opened for user root by ram(uid=0) root ram peg sue } ∆t .. time bin ⨍()=+1
Security. Analytics. Insight.12 • Scales well to a lot of data (can aggregate ad infinitum) • Shows more information than a bar chart • Flexible ‘measure’ mapping • frequency count • sum(variable) [avg(), stddev(), …] • distinct count(variable) Why Heatmaps?
Security. Analytics. Insight.12 • Scales well to a lot of data (can aggregate ad infinitum) • Shows more information than a bar chart • Flexible ‘measure’ mapping • frequency count • sum(variable) [avg(), stddev(), …] • distinct count(variable) Why Heatmaps? • BUT information content is limited! • Aggregates too highly in time and potentially value dimensions
Security. Analytics. Insight.13 Data Visualization Workflow Overview Zoom / Filter Details on Demand
Security. Analytics. Insight.14 Heatmap • Can pack millions of records (although highly aggregated) • Allows for zoom-in to expose detail • By itself exposes patterns • Great ‘navigation’ tool to drill into different, ‘non-scalable’ visualization ! • No other visualization possesses these properties Data Visualization Workflow - Overview
Security. Analytics. Insight.15 1. Labels HeatMap Challenges - Display <1px per label 1000s of rows
Security. Analytics. Insight.16 2. Mouse-Over • What information to show? • Position - x/y coordinates • Original records • Query backend for each position? HeatMap Challenges - Display
Security. Analytics. Insight.17 3. Sorting • Random • Alphabetically • Based on values • Similarity • What algorithm? • What distance metric? • Leverage third data field / context? HeatMap Challenges - Display random row order rows clustered user
Security. Analytics. Insight.18 4. Overplotting • How to summarize multiple rows in one pixel? • Sum? • Overplot x and y axes? • Undo overplot on zoom? 1 row -> 1 pixel n rows -> 1 pixel 1 row -> m pixels }∑ HeatMap Challenges - Display
Security. Analytics. Insight.19 1. Time Selection • Take screen resolution into account
 (you have 1000 pixels and you query 1005 seconds?) • Chose start AND end time? • Communicate to user what data is available? HeatMap Challenges - Interaction start time end time
Security. Analytics. Insight.20 2. Zoom and Pan • Re-query for more detail? HeatMap Challenges - Interaction
Security. Analytics. Insight.21 3. Color Scales / Ranges • discrete • continuous • different colors • multiple anchors HeatMap Challenges - Interaction
Security. Analytics. Insight.22 4. Exposure - Mapping data to color HeatMap Challenges - Interaction values frequency dark colors under utilized
Security. Analytics. Insight.23 5. Pivot HeatMap Challenges - Interaction destinationAddress
Security. Analytics. Insight.23 5. Pivot HeatMap Challenges - Interaction destinationAddress sourceAddress WHERE destinationAddress = 81.223.6.41
Security. Analytics. Insight.24 Different backend technologies (big data) • Key-value store • Search engine • GraphDB • RDBMS • Columnar - can answer analytical questions • Hadoop (Map Reduce) • good for operations on ALL data HeatMap Challenges - Backend Other things to consider: • Caching • Joins
Security. Analytics. Insight.25 • Showing relationships -> link graphs ! ! ! • Showing multiple dimensions and their inter- relatedness -> || coords What’s the HeatMap Not Good At
Security. Analytics. Insight.26 Heatmaps Are Good Starting Points … BUT Overview Zoom / Filter Details on Demand
Security. Analytics. Insight.27 Leverage Data Mining to Summarize Data Overview Zoom / Filter Details on Demand Overview • Leverage data mining (clustering) to create an overview • Summarizing dozens of dimensions into a two-dimensional overview
Security. Analytics. Insight.28 Self Organizing Maps • Clustering based on a single data dimension • for example “attackers” • It’s hard to • engineer the right features • avoid over-learning • interpret the clusters 3 2 1 3 clusters
Raffael . Marty @ pixlcloud . com 29 Examples
Security. Analytics. Insight.30 Vincent Th i s h eat m a p s h o w s behavior over time. ! In this case, we see activity per user. We can see that ‘vincent’ is visually different from all of the other users. He shows up very lightly over the entire time period. This seems to be something to look into. ! Purely visual, without understanding the data were we able to find this.
Security. Analytics. Insight.33 Firewall Heatmap
Security. Analytics. Insight.34 Showing Activity per Destination Address
Security. Analytics. Insight.35 Changing Color Exposure
Security. Analytics. Insight.36 Zoom In
Security. Analytics. Insight.37 Pivot to Source Address
Security. Analytics. Insight.38 Seriate
Security. Analytics. Insight.40 Expanding Detail source destination port source port
Security. Analytics. Insight.41 Intra-Role Anomaly - Random Order users time dc(machines)
Security. Analytics. Insight.42 Intra-Role Anomaly - With Seriation
Security. Analytics. Insight.43 Intra-Role Anomaly - Sorted by User Role Administrator Sales Development Finance
Security. Analytics. Insight.43 Intra-Role Anomaly - Sorted by User Role Administrator Sales Development Finance Admin???
Security. Analytics. Insight.44 • Millions of rows • High-cardinality fields ! ! • Where to start analysis? • Formulate some hypotheses • Informs visualization process and data preparation • Our hypothesis and assumption • Machines that get passed and blocked might be of interest • Low-frequency sources are not interesting Firewall Data firewall data data type cardinality distribution source ip ipv4 10-10^6 depends dest ip ipv4 10-10^6 depends source port int 65535 depends dest port int int 65535 highly skewed bytes in/out int - skewed action bool / int 3 - direction / iface bool / str small -
Security. Analytics. Insight.45 Visual Mapping } ∆t .. time bin - aggregation source 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 block & 
 pass blockpass color mapping:
Security. Analytics. Insight.46 Low-Frequency Behavior sum <= 10; outbound sum <= 10; inbound 36k rows source ip
Security. Analytics. Insight.47 Outbound Blocks What’s That? Oct 25 11:56:14.123128 rule 238/0(match): block in on xl1: 212.254.110.98.80 > 195.186.129.127.1338: 
 . 3660196221:3660197653(1432) ack 906644 win 32936 (DF) Oct 25 11:57:18.140007 rule 238/0(match): block in on xl1: 212.254.110.98.80 > 195.186.129.127.1338: 
 . 0:1432(1432) ack 1 win 32936 (DF) Oct 25 11:58:22.156195 rule 238/0(match): block in on xl1: 212.254.110.98.80 > 195.186.129.127.1338: 
 . 0:1432(1432) ack 1 win 32936 (DF) Oct 25 11:59:26.170915 rule 238/0(match): block in on xl1: 212.254.110.98.80 > 195.186.129.127.1338: 
 . 0:1432(1432) ack 1 win 32936 (DF) less pflog.txt | grep xl1 | grep "rule 238" | sed -e 's/(Oct .. ..):..:..........*/1/' | uniq -c 6 Oct 25 03 8 Oct 25 05 3 Oct 25 06 25 Oct 25 07 9 Oct 25 08 117 Oct 25 09 127 Oct 25 10 169 Oct 25 11 178 Oct 25 12 158 Oct 25 13 187 Oct 25 14 354 Oct 25 15 111 Oct 25 16 104 Oct 25 17 33 Oct 25 18 17 Oct 25 19 A clear increase in rule 238 traffic
Security. Analytics. Insight.48 High Frequency Sources Over Time block & 
 pass blockpass sum > 10 672 rows
Security. Analytics. Insight.49 High Frequency Traffic Split Up inbound outbound 192.168.0.201! 195.141.69.42 195.141.69.43! 195.141.69.44 195.141.69.45! 195.141.69.46 212.254.110.100! 212.254.110.101! 212.254.110.107! 212.254.110.108! 212.254.110.109! 212.254.110.110! 212.254.110.98! 212.254.110.99 ! 62.245.245.139 !
Security. Analytics. Insight.50 Outbound Traffic - Some Questions To Ask • What happened mid-way through? • Why is anything outbound blocked? • What are the top and bottom machines doing? • Did we get a new machine into the network? • Some machines went away? 195.141.69.42
Security. Analytics. Insight.51 195.141.69.42 - Interactions action port dest
Security. Analytics. Insight.53 Zooming in on Top Rows ! 212.254.110.100 212.254.110.101 212.254.110.102 212.254.110.103 212.254.110.104 212.254.110.105 212.254.110.106 212.254.110.107 212.254.110.108 212.254.110.109 212.254.110.110 212.254.110.111 212.254.110.112 212.254.110.113 212.254.110.114 212.254.110.115 212.254.110.116 212.254.110.117 212.254.110.118 212.254.110.119 212.254.110.120 212.254.110.121 212.254.110.122 212.254.110.123 212.254.110.124 212.254.110.125 212.254.110.126 212.254.110.127 212.254.110.66 212.254.110.96 212.254.110.97 212.254.110.98 212.254.110.99 • Hardly any pass-block Oct 22 14:20:08.351202 rule 237/0(match): block in on xl0: 66.220.17.151.80 > 212.254.110.103.1881: S 1451746674:1451746678(4) ack 1137377281 win 16384 (DF)
Security. Analytics. Insight.53 Zooming in on Top Rows ! 212.254.110.100 212.254.110.101 212.254.110.102 212.254.110.103 212.254.110.104 212.254.110.105 212.254.110.106 212.254.110.107 212.254.110.108 212.254.110.109 212.254.110.110 212.254.110.111 212.254.110.112 212.254.110.113 212.254.110.114 212.254.110.115 212.254.110.116 212.254.110.117 212.254.110.118 212.254.110.119 212.254.110.120 212.254.110.121 212.254.110.122 212.254.110.123 212.254.110.124 212.254.110.125 212.254.110.126 212.254.110.127 212.254.110.66 212.254.110.96 212.254.110.97 212.254.110.98 212.254.110.99 • Hardly any pass-block 212.254.110.102 Oct 16 13:14:05.627835 rule 0/0(match): pass in on xl0: 66.220.17.151.80 > 212.254.110.102.1977: S 1841864015:1841864019(4) ack 1308753921 win 16384 (DF) ! SYN ACK for real Web traffic passed
Security. Analytics. Insight.54 This Guy Sure Keeps Busy 212.254.144.40 dest port
Security. Analytics. Insight.55 • Attackers are very successful • Data could reveal adversaries • We have a big data analytics problem • We need the right analytics and visualizations • Security visualization is hard • Data visualization workflow is a promising approach • Heatmaps are great for overviews • We need a set of heuristics and workflows Recap
56 raffael.marty@pixlcloud.com

Recommended

Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
Raffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 

Recommended

Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
Raffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric VanderburgInformation Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Eric Vanderburg
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Security Onion
Security OnionSecurity Onion
Security Onion
n|u - The Open Security Community
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
MITRE ATT&CK
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Heat Maps - And What Men and Women are Looking at
Heat Maps - And What Men and Women are Looking atHeat Maps - And What Men and Women are Looking at
Heat Maps - And What Men and Women are Looking at
Heyday ApS
 

More Related Content

What's hot

Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric VanderburgInformation Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Eric Vanderburg
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Security Onion
Security OnionSecurity Onion
Security Onion
n|u - The Open Security Community
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
MITRE ATT&CK
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 

What's hot (20)

Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric VanderburgInformation Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
Information Security Lesson 2 - Attackers and Attacks - Eric Vanderburg
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 

Viewers also liked

The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Heat Maps - And What Men and Women are Looking at
Heat Maps - And What Men and Women are Looking atHeat Maps - And What Men and Women are Looking at
Heat Maps - And What Men and Women are Looking at
Heyday ApS
 
Print advert analysis
Print advert analysisPrint advert analysis
Print advert analysis
ajatuchband
 
SABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White PaperSABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White Paper
SABSAcourses
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1
pk4
 
Togaf 9 Capability Based Planning Ver1 0
Togaf 9 Capability Based Planning Ver1 0Togaf 9 Capability Based Planning Ver1 0
Togaf 9 Capability Based Planning Ver1 0
Maganathin Veeraragaloo
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Capability-based planning with TOGAF & ArchiMate
Capability-based planning with TOGAF & ArchiMateCapability-based planning with TOGAF & ArchiMate
Capability-based planning with TOGAF & ArchiMate
Anastasios Papazoglou
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
 
ea2009 Enterprise Architecture keynote Final
ea2009 Enterprise Architecture keynote Finalea2009 Enterprise Architecture keynote Final
ea2009 Enterprise Architecture keynote Final
Marc Caltabiano
 
Lucid IT & UXC Consulting: The Cloud Opportunity: Building on Your Investment...
Lucid IT & UXC Consulting: The Cloud Opportunity: Building on Your Investment...Lucid IT & UXC Consulting: The Cloud Opportunity: Building on Your Investment...
Lucid IT & UXC Consulting: The Cloud Opportunity: Building on Your Investment...
j_white
 
EA maturity models
EA maturity modelsEA maturity models
EA maturity models
Paul Sullivan
 
A Summary of TOGAF's Architecture Capability Framework
A Summary of TOGAF's Architecture Capability FrameworkA Summary of TOGAF's Architecture Capability Framework
A Summary of TOGAF's Architecture Capability Framework
Paul Sullivan
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Priyanka Aash
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
Heatmap
HeatmapHeatmap
Heatmap
Aynne Valencia
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 

Viewers also liked (20)

The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Heat Maps - And What Men and Women are Looking at
Heat Maps - And What Men and Women are Looking atHeat Maps - And What Men and Women are Looking at
Heat Maps - And What Men and Women are Looking at
 
Print advert analysis
Print advert analysisPrint advert analysis
Print advert analysis
 
SABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White PaperSABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White Paper
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1
 
Togaf 9 Capability Based Planning Ver1 0
Togaf 9 Capability Based Planning Ver1 0Togaf 9 Capability Based Planning Ver1 0
Togaf 9 Capability Based Planning Ver1 0
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Capability-based planning with TOGAF & ArchiMate
Capability-based planning with TOGAF & ArchiMateCapability-based planning with TOGAF & ArchiMate
Capability-based planning with TOGAF & ArchiMate
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
ea2009 Enterprise Architecture keynote Final
ea2009 Enterprise Architecture keynote Finalea2009 Enterprise Architecture keynote Final
ea2009 Enterprise Architecture keynote Final
 
Lucid IT & UXC Consulting: The Cloud Opportunity: Building on Your Investment...
Lucid IT & UXC Consulting: The Cloud Opportunity: Building on Your Investment...Lucid IT & UXC Consulting: The Cloud Opportunity: Building on Your Investment...
Lucid IT & UXC Consulting: The Cloud Opportunity: Building on Your Investment...
 
EA maturity models
EA maturity modelsEA maturity models
EA maturity models
 
A Summary of TOGAF's Architecture Capability Framework
A Summary of TOGAF's Architecture Capability FrameworkA Summary of TOGAF's Architecture Capability Framework
A Summary of TOGAF's Architecture Capability Framework
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Heatmap
HeatmapHeatmap
Heatmap
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 

Similar to The Heatmap
 - Why is Security Visualization so Hard?

Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic Stack
Elasticsearch
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCS
Splunk
 
Optimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL JobsOptimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL Jobs
Emma Tang
 
Optimal Strategies for Large Scale Batch ETL Jobs with Emma Tang
Optimal Strategies for Large Scale Batch ETL Jobs with Emma TangOptimal Strategies for Large Scale Batch ETL Jobs with Emma Tang
Optimal Strategies for Large Scale Batch ETL Jobs with Emma Tang
Databricks
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
Rod Soto
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
Raffael Marty
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT
SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRTSplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT
SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT
Splunk
 
How to teach your data scientist to leverage an analytics cluster with Presto...
How to teach your data scientist to leverage an analytics cluster with Presto...How to teach your data scientist to leverage an analytics cluster with Presto...
How to teach your data scientist to leverage an analytics cluster with Presto...
Alluxio, Inc.
 
Decipher openseminar (1)
Decipher openseminar (1)Decipher openseminar (1)
Decipher openseminar (1)
Jae-Yun Kim
 
Next-Gen DDoS Detection
Next-Gen DDoS DetectionNext-Gen DDoS Detection
Next-Gen DDoS Detection
Alex Henthorn-Iwane
 
Micro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical SystemsMicro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical Systems
Heechul Yun
 
#TwitterRealTime - Real time processing @twitter
#TwitterRealTime - Real time processing @twitter#TwitterRealTime - Real time processing @twitter
#TwitterRealTime - Real time processing @twitter
Twitter Developers
 
Data Platform at Twitter: Enabling Real-time & Batch Analytics at Scale
Data Platform at Twitter: Enabling Real-time & Batch Analytics at ScaleData Platform at Twitter: Enabling Real-time & Batch Analytics at Scale
Data Platform at Twitter: Enabling Real-time & Batch Analytics at Scale
Sriram Krishnan
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
Rod Soto
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 

Similar to The Heatmap
 - Why is Security Visualization so Hard? (20)

Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic Stack
 
SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCS
 
Optimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL JobsOptimal Strategies for Large-Scale Batch ETL Jobs
Optimal Strategies for Large-Scale Batch ETL Jobs
 
Optimal Strategies for Large Scale Batch ETL Jobs with Emma Tang
Optimal Strategies for Large Scale Batch ETL Jobs with Emma TangOptimal Strategies for Large Scale Batch ETL Jobs with Emma Tang
Optimal Strategies for Large Scale Batch ETL Jobs with Emma Tang
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
SEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT
SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRTSplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT
SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT
 
How to teach your data scientist to leverage an analytics cluster with Presto...
How to teach your data scientist to leverage an analytics cluster with Presto...How to teach your data scientist to leverage an analytics cluster with Presto...
How to teach your data scientist to leverage an analytics cluster with Presto...
 
Decipher openseminar (1)
Decipher openseminar (1)Decipher openseminar (1)
Decipher openseminar (1)
 
Next-Gen DDoS Detection
Next-Gen DDoS DetectionNext-Gen DDoS Detection
Next-Gen DDoS Detection
 
Micro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical SystemsMicro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical Systems
 
#TwitterRealTime - Real time processing @twitter
#TwitterRealTime - Real time processing @twitter#TwitterRealTime - Real time processing @twitter
#TwitterRealTime - Real time processing @twitter
 
Data Platform at Twitter: Enabling Real-time & Batch Analytics at Scale
Data Platform at Twitter: Enabling Real-time & Batch Analytics at ScaleData Platform at Twitter: Enabling Real-time & Batch Analytics at Scale
Data Platform at Twitter: Enabling Real-time & Batch Analytics at Scale
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 

More from Raffael Marty

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
Raffael Marty
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
Raffael Marty
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
Raffael Marty
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
Raffael Marty
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
Raffael Marty
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
Raffael Marty
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
Raffael Marty
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
Raffael Marty
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
Raffael Marty
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
Raffael Marty
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
Raffael Marty
 

More from Raffael Marty (20)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 

Recently uploaded

Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl DelhiCall Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
alisha panday
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
rajesh344555
 
Tesla Humanoid Robot - PPT in 11 Simple Slide
Tesla Humanoid Robot - PPT in 11 Simple SlideTesla Humanoid Robot - PPT in 11 Simple Slide
Tesla Humanoid Robot - PPT in 11 Simple Slide
abzjkr
 
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available MumbaiCelebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
komal sharman06
 
🔥Chennai Call Girls 🫱 8824825030 🫲 High Class Chennai Escorts Service Available
🔥Chennai Call Girls 🫱 8824825030 🫲 High Class Chennai Escorts Service Available🔥Chennai Call Girls 🫱 8824825030 🫲 High Class Chennai Escorts Service Available
🔥Chennai Call Girls 🫱 8824825030 🫲 High Class Chennai Escorts Service Available
manalishivani8
 
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
shasha$L14
 
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
payalgupta2u
 
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
monuc3758 $S2
 
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Bert Blevins
 
Call Girls Vijayawada 7742996321 Vijayawada Escorts Service
Call Girls Vijayawada 7742996321 Vijayawada Escorts ServiceCall Girls Vijayawada 7742996321 Vijayawada Escorts Service
Call Girls Vijayawada 7742996321 Vijayawada Escorts Service
huse9823
 
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
hina sharma$A17
 
一比一原版(uofr学位证书)罗切斯特大学毕业证如何办理
一比一原版(uofr学位证书)罗切斯特大学毕业证如何办理一比一原版(uofr学位证书)罗切斯特大学毕业证如何办理
一比一原版(uofr学位证书)罗切斯特大学毕业证如何办理
adocd
 
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
Web Inspire
 
Call Girls Service Ahmedabad 🔥 7737669865 🔥 Available Nearby Escort Is Live R...
Call Girls Service Ahmedabad 🔥 7737669865 🔥 Available Nearby Escort Is Live R...Call Girls Service Ahmedabad 🔥 7737669865 🔥 Available Nearby Escort Is Live R...
Call Girls Service Ahmedabad 🔥 7737669865 🔥 Available Nearby Escort Is Live R...
SANIYA KHATUN$S2
 
japie swanepoel_ ai windhoek june 2024.pptx
japie swanepoel_ ai windhoek june 2024.pptxjapie swanepoel_ ai windhoek june 2024.pptx
japie swanepoel_ ai windhoek june 2024.pptx
japie swanepoel
 
Seizing the IPv6 Advantage: For a Bigger, Faster and Stronger Internet
Seizing the IPv6 Advantage: For a Bigger, Faster and Stronger InternetSeizing the IPv6 Advantage: For a Bigger, Faster and Stronger Internet
Seizing the IPv6 Advantage: For a Bigger, Faster and Stronger Internet
APNIC
 
DocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptxDocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptx
AmitTuteja9
 
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
THE MOST
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
Federico Ast
 
Call Girls Dehradun 8824825030 Escort In Dehradun service 24X7
Call Girls Dehradun 8824825030 Escort In Dehradun service 24X7Call Girls Dehradun 8824825030 Escort In Dehradun service 24X7
Call Girls Dehradun 8824825030 Escort In Dehradun service 24X7
manalishivani8
 

Recently uploaded (20)

Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl DelhiCall Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
Call Girls In Delhi 🔥 +91-9873940964🔥High Profile Call Girl Delhi
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
 
Tesla Humanoid Robot - PPT in 11 Simple Slide
Tesla Humanoid Robot - PPT in 11 Simple SlideTesla Humanoid Robot - PPT in 11 Simple Slide
Tesla Humanoid Robot - PPT in 11 Simple Slide
 
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available MumbaiCelebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
Celebrity Navi Mumbai Call Girls 🥰 9967584737 🥰 Escorts Service Available Mumbai
 
🔥Chennai Call Girls 🫱 8824825030 🫲 High Class Chennai Escorts Service Available
🔥Chennai Call Girls 🫱 8824825030 🫲 High Class Chennai Escorts Service Available🔥Chennai Call Girls 🫱 8824825030 🫲 High Class Chennai Escorts Service Available
🔥Chennai Call Girls 🫱 8824825030 🫲 High Class Chennai Escorts Service Available
 
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
🔥High Profile Call Girls Gurgaon 💯Call Us 🔝 9873777170 🔝💃Top Class Call Girl ...
 
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
Call Girls In Chennai 💯Call Us 🔝 8824825030 🔝Independent Chennai Escorts Serv...
 
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
Full Night Fun With Call Girls Lucknow📞7737669865 At Very Cheap Rates Doorste...
 
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
 
Call Girls Vijayawada 7742996321 Vijayawada Escorts Service
Call Girls Vijayawada 7742996321 Vijayawada Escorts ServiceCall Girls Vijayawada 7742996321 Vijayawada Escorts Service
Call Girls Vijayawada 7742996321 Vijayawada Escorts Service
 
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
High Profile Call Girls Bangalore ✔ 9352988975 ✔ Hi I Am Divya Vip Call Girl ...
 
一比一原版(uofr学位证书)罗切斯特大学毕业证如何办理
一比一原版(uofr学位证书)罗切斯特大学毕业证如何办理一比一原版(uofr学位证书)罗切斯特大学毕业证如何办理
一比一原版(uofr学位证书)罗切斯特大学毕业证如何办理
 
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
 
Call Girls Service Ahmedabad 🔥 7737669865 🔥 Available Nearby Escort Is Live R...
Call Girls Service Ahmedabad 🔥 7737669865 🔥 Available Nearby Escort Is Live R...Call Girls Service Ahmedabad 🔥 7737669865 🔥 Available Nearby Escort Is Live R...
Call Girls Service Ahmedabad 🔥 7737669865 🔥 Available Nearby Escort Is Live R...
 
japie swanepoel_ ai windhoek june 2024.pptx
japie swanepoel_ ai windhoek june 2024.pptxjapie swanepoel_ ai windhoek june 2024.pptx
japie swanepoel_ ai windhoek june 2024.pptx
 
Seizing the IPv6 Advantage: For a Bigger, Faster and Stronger Internet
Seizing the IPv6 Advantage: For a Bigger, Faster and Stronger InternetSeizing the IPv6 Advantage: For a Bigger, Faster and Stronger Internet
Seizing the IPv6 Advantage: For a Bigger, Faster and Stronger Internet
 
DocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptxDocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptx
 
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
🔥Call Girls In Chandigarh 💯Call Us 🔝 6350257716 🔝💃Top Class Call Girl Service...
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
 
Call Girls Dehradun 8824825030 Escort In Dehradun service 24X7
Call Girls Dehradun 8824825030 Escort In Dehradun service 24X7Call Girls Dehradun 8824825030 Escort In Dehradun service 24X7
Call Girls Dehradun 8824825030 Escort In Dehradun service 24X7
 

The Heatmap
 - Why is Security Visualization so Hard?

  • 1. Raffael Marty, CEO The Heatmap
 Why is Security Visualization so Hard? Area41 Zurich, Switzerland June 2, 2014
  • 3. Security. Analytics. Insight.3 I am Raffy - I do Viz! IBM Research
  • 4. Security. Analytics. Insight.4 Attacks have changed: • Targeted • Objectives beyond monetization • Low and Slow • Multiple access vectors • Remotely controlled The (New) Threat Landscape APT 1 Unit 61398 (61398部 ) Motivations have changed: • Nation state sponsored • Political, economic, and military advantage • Monetization / Crimeware • Religion • Hacktivism Security approaches failed due to: • Reliance on past knowledge / signatures • Systems are too rigid (e.g, schema) • Poor scalability • Limited knowledge exchange
  • 5. Security. Analytics. Insight.5 How Compromises Are Detected Mandiant M Trends Report 2014 Threat Report Attackers innetworks before detection 27 days 229 days Average time toresolveacyberattack Successfulattackspercompany perweek 1.4 Average cost percompany peryear $7.2M
  • 6. Security. Analytics. Insight.6 Our Security Goals ! ! Find Intruders and ‘New Attacks’ ! ! Discover Exposure Early ! ! Communicate Findings
  • 7. Security. Analytics. Insight.7 Visualize Me Lots (>1TB) of Data ! ! SecViz is Hard!
  • 8. Security. Analytics. Insight.8 Visualize 1TB of Data - What Graph? drop reject NONE ctl accept DNS Update Failed Log In IP Fragments Max Flows Initiated Packet Flood UDP Flood Aggressive Aging Bootp Renew Log Out Release NACK Conflict DNS Update Successful DNS record not deleted DNS Update Request Port Flood 1 10000 100000000 How much information does each of the graphs convey?
  • 9. Security. Analytics. Insight.9 The Heatmap Matrix A, where aij are integer values mapped to a color scale. aij = 1 10 20 30 40 50 60 70 80 >90 42 rows columns
  • 10. Security. Analytics. Insight.10 Mapping Data to a Heatmap values = how often was <row_item> seen time rows = source ip columns = time
  • 11. Security. Analytics. Insight.11 Mapping Log Records to Heatmaps May 5 23:57:50 pixl-ram sudo: pam_unix(sudo:session):
 session opened for user root by ram(uid=0) root ram peg sue } ∆t .. time bin
  • 12. Security. Analytics. Insight.11 Mapping Log Records to Heatmaps May 5 23:57:50 pixl-ram sudo: pam_unix(sudo:session):
 session opened for user root by ram(uid=0) root ram peg sue } ∆t .. time bin
  • 13. Security. Analytics. Insight.11 Mapping Log Records to Heatmaps May 5 23:57:50 pixl-ram sudo: pam_unix(sudo:session):
 session opened for user root by ram(uid=0) root ram peg sue } ∆t .. time bin ⨍()=+1
  • 14. Security. Analytics. Insight.12 • Scales well to a lot of data (can aggregate ad infinitum) • Shows more information than a bar chart • Flexible ‘measure’ mapping • frequency count • sum(variable) [avg(), stddev(), …] • distinct count(variable) Why Heatmaps?
  • 15. Security. Analytics. Insight.12 • Scales well to a lot of data (can aggregate ad infinitum) • Shows more information than a bar chart • Flexible ‘measure’ mapping • frequency count • sum(variable) [avg(), stddev(), …] • distinct count(variable) Why Heatmaps? • BUT information content is limited! • Aggregates too highly in time and potentially value dimensions
  • 16. Security. Analytics. Insight.13 Data Visualization Workflow Overview Zoom / Filter Details on Demand
  • 17. Security. Analytics. Insight.14 Heatmap • Can pack millions of records (although highly aggregated) • Allows for zoom-in to expose detail • By itself exposes patterns • Great ‘navigation’ tool to drill into different, ‘non-scalable’ visualization ! • No other visualization possesses these properties Data Visualization Workflow - Overview
  • 18. Security. Analytics. Insight.15 1. Labels HeatMap Challenges - Display <1px per label 1000s of rows
  • 19. Security. Analytics. Insight.16 2. Mouse-Over • What information to show? • Position - x/y coordinates • Original records • Query backend for each position? HeatMap Challenges - Display
  • 20. Security. Analytics. Insight.17 3. Sorting • Random • Alphabetically • Based on values • Similarity • What algorithm? • What distance metric? • Leverage third data field / context? HeatMap Challenges - Display random row order rows clustered user
  • 21. Security. Analytics. Insight.18 4. Overplotting • How to summarize multiple rows in one pixel? • Sum? • Overplot x and y axes? • Undo overplot on zoom? 1 row -> 1 pixel n rows -> 1 pixel 1 row -> m pixels }∑ HeatMap Challenges - Display
  • 22. Security. Analytics. Insight.19 1. Time Selection • Take screen resolution into account
 (you have 1000 pixels and you query 1005 seconds?) • Chose start AND end time? • Communicate to user what data is available? HeatMap Challenges - Interaction start time end time
  • 23. Security. Analytics. Insight.20 2. Zoom and Pan • Re-query for more detail? HeatMap Challenges - Interaction
  • 24. Security. Analytics. Insight.21 3. Color Scales / Ranges • discrete • continuous • different colors • multiple anchors HeatMap Challenges - Interaction
  • 25. Security. Analytics. Insight.22 4. Exposure - Mapping data to color HeatMap Challenges - Interaction values frequency dark colors under utilized
  • 26. Security. Analytics. Insight.23 5. Pivot HeatMap Challenges - Interaction destinationAddress
  • 27. Security. Analytics. Insight.23 5. Pivot HeatMap Challenges - Interaction destinationAddress sourceAddress WHERE destinationAddress = 81.223.6.41
  • 28. Security. Analytics. Insight.24 Different backend technologies (big data) • Key-value store • Search engine • GraphDB • RDBMS • Columnar - can answer analytical questions • Hadoop (Map Reduce) • good for operations on ALL data HeatMap Challenges - Backend Other things to consider: • Caching • Joins
  • 29. Security. Analytics. Insight.25 • Showing relationships -> link graphs ! ! ! • Showing multiple dimensions and their inter- relatedness -> || coords What’s the HeatMap Not Good At
  • 30. Security. Analytics. Insight.26 Heatmaps Are Good Starting Points … BUT Overview Zoom / Filter Details on Demand
  • 31. Security. Analytics. Insight.27 Leverage Data Mining to Summarize Data Overview Zoom / Filter Details on Demand Overview • Leverage data mining (clustering) to create an overview • Summarizing dozens of dimensions into a two-dimensional overview
  • 32. Security. Analytics. Insight.28 Self Organizing Maps • Clustering based on a single data dimension • for example “attackers” • It’s hard to • engineer the right features • avoid over-learning • interpret the clusters 3 2 1 3 clusters
  • 33. Raffael . Marty @ pixlcloud . com 29 Examples
  • 34. Security. Analytics. Insight.30 Vincent Th i s h eat m a p s h o w s behavior over time. ! In this case, we see activity per user. We can see that ‘vincent’ is visually different from all of the other users. He shows up very lightly over the entire time period. This seems to be something to look into. ! Purely visual, without understanding the data were we able to find this.
  • 36. Security. Analytics. Insight.34 Showing Activity per Destination Address
  • 41. Security. Analytics. Insight.40 Expanding Detail source destination port source port
  • 42. Security. Analytics. Insight.41 Intra-Role Anomaly - Random Order users time dc(machines)
  • 43. Security. Analytics. Insight.42 Intra-Role Anomaly - With Seriation
  • 44. Security. Analytics. Insight.43 Intra-Role Anomaly - Sorted by User Role Administrator Sales Development Finance
  • 45. Security. Analytics. Insight.43 Intra-Role Anomaly - Sorted by User Role Administrator Sales Development Finance Admin???
  • 46. Security. Analytics. Insight.44 • Millions of rows • High-cardinality fields ! ! • Where to start analysis? • Formulate some hypotheses • Informs visualization process and data preparation • Our hypothesis and assumption • Machines that get passed and blocked might be of interest • Low-frequency sources are not interesting Firewall Data firewall data data type cardinality distribution source ip ipv4 10-10^6 depends dest ip ipv4 10-10^6 depends source port int 65535 depends dest port int int 65535 highly skewed bytes in/out int - skewed action bool / int 3 - direction / iface bool / str small -
  • 47. Security. Analytics. Insight.45 Visual Mapping } ∆t .. time bin - aggregation source 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 block & 
 pass blockpass color mapping:
  • 48. Security. Analytics. Insight.46 Low-Frequency Behavior sum <= 10; outbound sum <= 10; inbound 36k rows source ip
  • 49. Security. Analytics. Insight.47 Outbound Blocks What’s That? Oct 25 11:56:14.123128 rule 238/0(match): block in on xl1: 212.254.110.98.80 > 195.186.129.127.1338: 
 . 3660196221:3660197653(1432) ack 906644 win 32936 (DF) Oct 25 11:57:18.140007 rule 238/0(match): block in on xl1: 212.254.110.98.80 > 195.186.129.127.1338: 
 . 0:1432(1432) ack 1 win 32936 (DF) Oct 25 11:58:22.156195 rule 238/0(match): block in on xl1: 212.254.110.98.80 > 195.186.129.127.1338: 
 . 0:1432(1432) ack 1 win 32936 (DF) Oct 25 11:59:26.170915 rule 238/0(match): block in on xl1: 212.254.110.98.80 > 195.186.129.127.1338: 
 . 0:1432(1432) ack 1 win 32936 (DF) less pflog.txt | grep xl1 | grep "rule 238" | sed -e 's/(Oct .. ..):..:..........*/1/' | uniq -c 6 Oct 25 03 8 Oct 25 05 3 Oct 25 06 25 Oct 25 07 9 Oct 25 08 117 Oct 25 09 127 Oct 25 10 169 Oct 25 11 178 Oct 25 12 158 Oct 25 13 187 Oct 25 14 354 Oct 25 15 111 Oct 25 16 104 Oct 25 17 33 Oct 25 18 17 Oct 25 19 A clear increase in rule 238 traffic
  • 50. Security. Analytics. Insight.48 High Frequency Sources Over Time block & 
 pass blockpass sum > 10 672 rows
  • 51. Security. Analytics. Insight.49 High Frequency Traffic Split Up inbound outbound 192.168.0.201! 195.141.69.42 195.141.69.43! 195.141.69.44 195.141.69.45! 195.141.69.46 212.254.110.100! 212.254.110.101! 212.254.110.107! 212.254.110.108! 212.254.110.109! 212.254.110.110! 212.254.110.98! 212.254.110.99 ! 62.245.245.139 !
  • 52. Security. Analytics. Insight.50 Outbound Traffic - Some Questions To Ask • What happened mid-way through? • Why is anything outbound blocked? • What are the top and bottom machines doing? • Did we get a new machine into the network? • Some machines went away? 195.141.69.42
  • 53. Security. Analytics. Insight.51 195.141.69.42 - Interactions action port dest
  • 54. Security. Analytics. Insight.53 Zooming in on Top Rows ! 212.254.110.100 212.254.110.101 212.254.110.102 212.254.110.103 212.254.110.104 212.254.110.105 212.254.110.106 212.254.110.107 212.254.110.108 212.254.110.109 212.254.110.110 212.254.110.111 212.254.110.112 212.254.110.113 212.254.110.114 212.254.110.115 212.254.110.116 212.254.110.117 212.254.110.118 212.254.110.119 212.254.110.120 212.254.110.121 212.254.110.122 212.254.110.123 212.254.110.124 212.254.110.125 212.254.110.126 212.254.110.127 212.254.110.66 212.254.110.96 212.254.110.97 212.254.110.98 212.254.110.99 • Hardly any pass-block Oct 22 14:20:08.351202 rule 237/0(match): block in on xl0: 66.220.17.151.80 > 212.254.110.103.1881: S 1451746674:1451746678(4) ack 1137377281 win 16384 (DF)
  • 55. Security. Analytics. Insight.53 Zooming in on Top Rows ! 212.254.110.100 212.254.110.101 212.254.110.102 212.254.110.103 212.254.110.104 212.254.110.105 212.254.110.106 212.254.110.107 212.254.110.108 212.254.110.109 212.254.110.110 212.254.110.111 212.254.110.112 212.254.110.113 212.254.110.114 212.254.110.115 212.254.110.116 212.254.110.117 212.254.110.118 212.254.110.119 212.254.110.120 212.254.110.121 212.254.110.122 212.254.110.123 212.254.110.124 212.254.110.125 212.254.110.126 212.254.110.127 212.254.110.66 212.254.110.96 212.254.110.97 212.254.110.98 212.254.110.99 • Hardly any pass-block 212.254.110.102 Oct 16 13:14:05.627835 rule 0/0(match): pass in on xl0: 66.220.17.151.80 > 212.254.110.102.1977: S 1841864015:1841864019(4) ack 1308753921 win 16384 (DF) ! SYN ACK for real Web traffic passed
  • 56. Security. Analytics. Insight.54 This Guy Sure Keeps Busy 212.254.144.40 dest port
  • 57. Security. Analytics. Insight.55 • Attackers are very successful • Data could reveal adversaries • We have a big data analytics problem • We need the right analytics and visualizations • Security visualization is hard • Data visualization workflow is a promising approach • Heatmaps are great for overviews • We need a set of heuristics and workflows Recap
  翻译: