I was attending the RSA Conference all week long. During one day my mission was to find out what the state of visualization in security products is. Here is what I found:
- Most products have reporting features
- A lot of products use dashboards which let you interact and drill-down into the details. This generally means clicking on one of the bars in a bar chart to get to the underlying textual representation of the events.
- Some products use drilldowns to get from one dashboard to another (nice!)
- Some proudcts let you customize the dashboards or change the visualization parameters interactively. Keyword: Dynamic Queries (very nice!)
- Only one company that I talked to uses a visual interface (a treemap) as their main way of interacting with the product. They even let you change the parameters on the fly! (very very nice!l!)
My whish list:
- More visual interfaces.
- More interactive dashboards. Being able to drill-down from one dashboard into another to get more information.
- More meaningful dashboards. Tell me why a certain graph is important in the dashboard. What's the use-case for showing it?
- More products using better visualization (have you heard of treemaps?)
- Interactive visuals. Let me choose how I want my data represented. Make it configurable. But don't overload the interface with features. Make sure there are valid use-cases and make them obvious to me! Wizzards?
I am pretty amazed with the Processing project. It's a full-blown, java-based programming language which has added commands to generate 3D graphs. I played around with it and pretty quickly built a tool which plots 3D coordinates which are stored in a file, onto the screen. It's fully animated, interactive, etc. The real killer is that the tool will generate a JAR with the entire code executable on Linux or Windows OR as an applet. Really worth having a look at!
This is an image of a parallel coordinate plot (source IP, source TCP port, destination TCP port, source UDP port, destination UDP port, destination IP) that I created using the rumint visualization tool. TCP is in green and UDP is in orange. I deliberately jammed the visualization display by creating packets with random source IP addresses and sequential source and destination ports. If you are interested in more details they are available in this paper [PDF].
I just updated secviz.org to the latest version of the CMS. I also added a SPAM module. Let's hope this will help to control SPAM a bit better.
If you find any part of the page not working, please let me know: ram (at) secviz.org.
The many eyes project is not focused on security visualization, but nevertheless, it's an interesting and very well done portal. What I really like is the interactivity. Play with some of the treemaps. You can reconfigure them on the fly. Very nice. I also like the explanation of the different chart types and when they are best used.
Tenable Network Security's Security Center includes a 3D visualization tool that can derive network topology information from distributed Nessus vulnerability scanners. Each node in the center helix of the above graph is detected router. Clicking on the router can expose the number of hosts "behind" each router. Placing your mouse over the node displays its vulnerabilities and placing your mouse over the router can display its links to other routers. The entire display can be rotated and loaded with different data sets. For example, a user could query the Security Center to get a list of all web servers, then perform a second query for all web servers which perhaps didn't have logging enabled and then display these locations on the topology. A video of the 3D tool in action is located here.
This graph was produced with vulnerability data sniffed by the Passive Vulnerability Scanner (PVS) from Tenable Network Security and AfterGlow. A blog entry detailing this graph is located at Tenable's blog. The PVS sniffs vulnerability data such as client and server vulnerabilities, but also network 'trust' relationships such as which machines connect to a server on port 22. In the above graph, a host with an arrow to another host represents that the PVS has observed at least one network connection between those systems.
I am quite frustrated with a lot of the research papers and tools that get published. In a lot of cases you can just tell that the authors and developers of certain tools have good intentions, but unfortunately no, or limited, domain knowledge.
One example was a recent paper I read about some visualization tool. They were talking about occlusion and how filtering can help address that problem. Absolutely. I could not agree more. However, the context was security alarms. It was proposed that one of the most effective ways to deal with occlusion was to filter based on the alarm priority and only show a certain alarm level. Well, why would I need a visualization tool for that? I can use grep to do so. And if you are going to visualize only the highest priority alerts (or any level of priority for that matter), you are loosing context. It might have been enormeously important to see those level 10 alerts in context with all the level one alerts. That's why you want to use visualization, to see relationships. The relationships among level 10 alerts are limited and most likely there won't be many!
The second point I want to get accross about visualization (or in general security research) papers, is the use of the wrong data to verify and justify a tool's usefulness. Simulated data feeds, artificially generated user behavior, etc. is just a really really bad way of testing or at least justifying why a tool is well suited for finding important/relevant events. And if you are going to use metrics on top of that data which talk for example about recall and precision, you are just in the wrong profession. Get that tool on a real network where people are trying to solve real problems!
I am a "Media System Design" student while working at the IT Security Department and I've been impressed by the idea of presenting Logfiles in a graphical way to determine the relevant information at first glance.
Because of that, my thesis, which starts in Feb 2007, deals with that issue and is focused on a interactive manner browsing(!) the graphical map. As a "Media System Design" Student, Data Visualization is a very interesting issue and matches perfectly to the content of our studies.
Well, I am a hard-working student and so I've already read some books of Edward Tufte, did some research with colleagues and designed some studies about the so called "Visual Logfile Browsing".
The description of my project is:
"Nazar is a Visual Logfile Browser. It is designed as a Multipurpose-Application to present Logfile Content in a new-fashioned browsing manner provided by the Nazar-Flash-GUI. Instead of just reading Logfiles, you're able to browse them graphically and determine the relevant information at first glance."
"Browsing" means that you’re able to zoom in or out, move or delete nodes, switch the view by selecting another information level, watch the scene by shifting through the seconds of an event (not implemented yet), determine more information by moving the mouse over an element and so on.
The project is in development, so I have to admit, that most of the functions aren't implemented yet. But - I hope that I'll be able to present you a working version this year. Up to now, the scalability is one main problem. I haven't tested it with a huge data set, because 'Threading' isn't implemented yet and would certainly cause it to hang up reading a big amount of data. So - please - see it as a design study and nothing more.
Most of the text on my website is written in English. The upcoming "demo videos" are spoken in German. Nazar runs on Windows Systems, and requires Perl (Active Perl) to provide the parsing function.
Every hint and advice is welcome.