Discussion Entries

Adjacent to data visualization are all the different disciplines that help us getting from raw data to visualizations. There are the topics of big data, data mining, and data exploration which come to mind. The world has gotten quite confused and lax about using the terms artificial intelligence and machine learning. Often data mining, for example will be lumped underneath these topics. I have written a few pieces lately that talk about AI and ML in cyber security. They should help bringing a bit more clarity into the approaches and what is suited for the cyber discussion. The topic of data visualization is still a crucial one and I am not doing it justice in any of my write ups. But we shouldn't forget that data visualization is probably one of the most important methods when it comes to helping analysts better understand what they are looking at, and helping data scientists understand what their algorithms have just done.

Oh, and should you be interested in Virtual Reality - I just published a short critique of a 'pro VR' article.

Found a nice collection of network attack maps.

In early December, I gave the keynote at the ACSAC 2017 conference in Orlando, Florida.

In the presentation I look at a number of topics around using big data for security. I start by showing what big data looks like for security, how the history of using security for big data is tightly linked to the progress in big data itself. I talk about machine learning and artificial intelligence and show some of the limits and dangers of how we currently apply machine learning in security and how we can apply data visualization to help analysts better understand data. I then go on to peek a little bit into my magic 8 ball to see how security big data environments might look in the future and finish the presentation with posing a few challenges to the community about security for big data problems.

Hi all,

I am a PhD researcher at University of Southampton and my PhD topic is Visualisation in Cyber Security.

I have a questionnaire, for my thesis, aimed at people who have experience in Cyber Security, Visualization (or HCI) design or both. I would really appreciate if you can take some time out and fill out the questionnaire.

Please refer to the link below for more information or contact me. :)

https://www.isurvey.soton.ac.uk/23438

Thank you.
Aneesha Sethi
Aneesha.Sethi@soton.ac.uk

VISUAL ANALYTICS – DELIVERING ACTIONABLE SECURITY INTELLIGENCE

BlackHat 2017 - Las Vegas

Big Data is Getting Bigger - Visualization is Getting Easier - Learn How!
Dates: July 22-23 & 24-25
Location: Las Vegas, USA

SIGN UP NOW

OVERVIEW

Big data and security intelligence are the two very hot topics in security. We are collecting more and more information from both the infrastructure, but increasingly also directly from our applications. This vast amount of data gets increasingly hard to understand. Terms like map reduce, hadoop, spark, elasticsearch, data science, etc. are part of many discussions. But what are those technologies and techniques? And what do they have to do with security analytics/intelligence? We will see that none of these technologies are sufficient in our quest to defend our networks and information. Data visualization is the only approach that scales to the ever changing threat landscape and infrastructure configurations. Using big data visualization techniques, you uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods. Something that is increasingly referred to as hunting. The attendees will learn about log analysis, big data, information visualization, data sources for IT security, and learn how to generate visual representations of IT data. The training is filled with hands-on exercises utilizing the DAVIX live CD.

What's New?

The workshop is being heavily updated over the next months. Check back here to see a list of new topics:

• Security Analytics - UEBA, Scoring, Anomaly Detection
• Hunting
• Data Science
• 10 Challenges with SIEM and Big Data for Security
• Big Data - How do you navigate the ever growing landscape of Hadoop and big data technologies? Tajo, Apache Arrow, Apache Drill, Druid, PrestoDB from Facebook, Kudu, etc. We'll sort you out.

SYLLABUS

The syllabus is not 100% fixed yet. Stay tuned for some updates.

Day 1:

Log Analysis

• Data Sources Discussion - including PCAP, Firewall, IDS, Threat Intelligence (TI) Feeds, CloudTrail, CloudWatch, etc.
• Data Analysis and Visualization Linux (DAVIX)
• Log Data Processing (CSVKit, ...)

SIEM, and Big Data

• Log Management and SIEM Overview
• LogStash (Elastic Stack) and Moloch
• Big Data - Hadoop, Spark, ElasticSearch, Hive, Impala

Data Science

• Introduction to Data Science
• Introduction to Data Science with R
• Hunting

Day 2:

Visualization

• Information Visualization History
• Visualization Theory
• Data Visualization Tools and Libraries (e.g., Mondrian, Gephi, AfterGlow, Graphiti)
• Visualization Resources

Security Visualization Use-Cases

• Perimeter Threat
• Network Flow Analysis
• Firewall Visualization
• IDS/IPS Signature Analysis
• Vulnerability Scans
• Proxy Data
• User Activity
• Host-based Data Analysis

Sample of Tools and Techniques

Tools to gather data:

• argus, nfdump, nfsen, and silk to process traffic flows
• snort, bro, suricata as intrusion detection systems
• p0f, npad for passive network analysis
• iptables, pf, pix as examples of firewalls
• OSSEC, collectd, graphite for host data

We are also using a number of visualization tools to analyze example data in the labs:

• graphviz, tulip, cytoscape, and gephi
• afterglow
• treemap
• mondrian, ggobi

Under the log management section, we are going to discuss:

• rsyslog, syslog-ng, nxlog
• logstash as part of the elastic stack, moloch
• commercial log management and SIEM solutions

The section on big data is covering the following:

• hadoop (HDFS, map-reduce, HBase, Hive, Impala, Zookeper)
• search engines like: elastic search, Solr
• key-value stores like MongoDB, Cassandra, etc.
• OLAP and OLTP
• The Spark ecosystem

SIGN UP

TRAINER

Raffael Marty is vice president of security analytics at Sophos, and is responsible for all strategic efforts around security analytics for the company and its products. He is based in San Francisco, Calif. Marty is one of the world's most recognized authorities on security data analytics, big data and visualization. His team at Sophos spans these domains to help build products that provide Internet security solutions to Sophos' vast global customer base.

Previously, Marty launched pixlcloud, a visual analytics platform, and Loggly, a cloud-based log management solution. With a track record at companies including IBM Research, ArcSight, and Splunk, he is thoroughly familiar with established practices and emerging trends in the big data and security analytics space. Marty is the author of Applied Security Visualization and a frequent speaker at academic and industry events. Zen meditation has become an important part of Raffy's life, sometimes leading to insights not in data but in life.

We recently posted a case study of how a Fortune 100 company is using Security Visualization as a front end to their various data collection systems. The Security Visualization allows the company's analysts to look at 100's of thousands of correlations each day and apply human pattern recognition to spot the "needles in the haystack". These are threats that are designed to avoid traditional intrusion and event management. Once the potential threat is identified and the log data is carved down to just the logs that are relevant, that subset of log data is then attached to a case study and delivered to case investigation for further evaluation. In addition to identifying and carving down to just the relevant logs, the security visualization also makes it easier to communicate the findings to the extended team.

In this situation data is imported from several sources. Those sources include intrusion detection systems (e.g., SourceFire), firewall protection (e.g., Palo Alto, SonicWALL), and virus scan / endpoint protection (e.g. Symantec) in addition to correlation systems (e.g., HP ESM, Splunk, etc.). Security Visualization allows the analysts to hunt for unknown and unexpected threats. Threats such as time staged attacks, diagonal attacks, cluster attacks, octal jump attacks, embedded activity attacks, etc.

This case study is recorded and can be viewed at http://www.advizorsolutions.com/articles/security-visualization. The case study lasts 25 minutes, and is followed by a Q&A.

Doug Cogswell,
ADVIZOR Solutions, Inc.

Hi, I am a Phd candidate in Informatics Institude at Middle East Technical University. I prepared an online survey as a part of my phd thesis. However, since this subject is relatively new I can not find anybody who may fill this survey around me in Turkey.

The survey is in Google Forms, at link https://goo.gl/forms/xbfmrqJ4jxA4rvQ53. It is not very short :( It may take around 20 minutes but it is easy to fill, mostly composed of multi selection questions. Uncompleted survey results are not saved so the participants should complete the survey.

Although we ask questions related to security systems and security visualization systems used to understand the visualization requirements.The survey, in general, does not include questions that give personal discomfort. No tracking information such as email or organization name is asked during the survey. More descriptive information about how the survey results will be used exists in the starting page. So, please do not hesitate to fill, due to your privacy concerns.

I hope experts of this forum may help me by filling the survey during a coffee break. I need to take feedback soon, before my next thesis committee. I appreciate your help to a newbie security visualization researcher (me) :)

Many thanks,
Ferda Özdemir Sönmez

The 13th IEEE Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cybersecurity community through new and insightful visualization and analysis techniques. VizSec provides an excellent venue for fostering greater exchange and new collaborations on a broad range of security- and privacy-related topics. VizSec will be held in Baltimore, MD, USA in conjunction with IEEE VIS.

The purpose of VizSec is to explore effective and scalable visual interfaces for security domains such as network security, computer forensics, reverse engineering, insider threat detection, cryptography, privacy, user assisted attacks prevention, compliance management, wireless security, secure coding, and penetration testing.

Technical Papers

Full papers describing novel contributions in security visualization are solicited. Papers may present techniques, applications, practical experience, theory, analysis, experiments, or evaluations. We encourage the submission of papers on technologies and methods that promise to improve cyber security practices, including, but not limited to:

- Situation awareness and/or understanding
- Incident handling including triage, exploration, correlation, and response
- Computer forensics
- Recording and reporting results of investigations
- Assisting proactive security configuration and deployment
- Reverse engineering and malware analysis
- Vulnerability management
- Multiple data source analysis
- Analyzing information requirements for computer network defense
- Evaluation and/or user testing of VizSec systems
- Criteria for assessing the effectiveness of cyber security visualizations
(whether from a security goal perspective or a human factors perspective)
- Modeling system and network behavior
- Modeling attacker and defender behavior
- Studying risk and impact of cyber attacks
- Predicting future attacks or targets
- Security metrics and education
- Software security
- Mobile application security
- Social networking privacy and security

When applicable, visualization and interaction techniques that effectively capture the insights of human analysts and/or allow analysts to collaborate efficiently are particularly desirable.

*** New for 2016! *** Case Studies

Short papers describing practical applications of security visualization are solicited. We encourage the submission of papers discussing the introduction of cyber security visualizations into operational context, including, but not limited to:

- Cases where visualization made positive contributions towards meeting
operational needs
- Gaps or negative outcomes from visualization deployments
- Situations where visualization was not utilized, but could have had a
positive impact
- Lessons learned from operational engagements
- Insights gained from the transition process

Cyber security practitioners from industry, as well as the research community, are encouraged to submit case studies.

Posters

Poster submissions may showcase late-breaking results, work in progress, preliminary results, or visual representations relevant to the VizSec community. The poster program will be a great opportunity for the authors to interact with the attendees and solicit feedback.

Submissions

Submissions must be formated using the IEEE VGTC template that can be found at http://junctionpublishing.org/vgtc/Tasks/camera.html. All submissions should be in PDF format.

Submit papers and poster abstracts using EasyChair: http://www.easychair.org/conferences/?conf=vizsec2016

Papers should be at most 8 pages including the bibliography and appendices. Papers will be peer-reviewed by at least 3 members of the program committee. Committee members are not required to read the appendices or any pages past the maximum. Submissions not meeting these guidelines will be rejected without consideration of their merit. Reviews are single-blind, so authors may include names and affiliations in their submissions. Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings.

The VizSec proceedings will be published by IEEE. Authors of accepted papers must guarantee that their papers will be presented at the conference.
Case Studies

Case studies should be at most 4 pages including the bibliography and appendices. Case study submissions will be reviewed by the Paper Chair(s) and other members of the organizing committee to determine relevance to the VizSec community.

Accepted case study authors will have time to present their work at VizSec during the program.

Accepted case studies will be made available on this website.

Extended abstract for posters should be at most 2 pages including the bibliography. Poster abstracts will be reviewed by the Poster Chair(s) and other members of the organizing committee to determine relevance to the VizSec community.

Accepted authors must present a corresponding poster during the workshop. The poster authors can determine the layout by themselves, but the dimensions of the posters should not exceed the A0 space (841mm x 1189mm or 33.1" x 46.8"). Additionally, poster authors are requested to give a brief oral preview during a plenary "fast forward" session.

Accepted poster abstracts will be made available on VizSec website.

When applicable, submissions including tests and evaluations of the proposed tools and techniques are considered particularly desirable. If possible, making the data used for the tests available will also be considered positively. If you do not have real-world data to demonstrate your visualization, you may be interested in looking at the VAST Challenge data sets.

Important Dates

All deadlines are 5:00 PM PST

Papers and Case Studies

August 1, 2016
Submission for Papers and Case Studies
September 5, 2016
Author Notification for Papers and Case Studies
October 3, 2016
Camera Ready Submission and Copyright Forms for Papers

Posters

September 19, 2016
Abstract Submission for Posters
September 30, 2016
Author Notification for Posters

We've created a free tool for visualizing live streams of network traffic, using JMonkeyEngine (Java 3D gaming engine).

Please take a look at deepnode.com - we would very much appreciate feedback from this community.

Rather than focusing on mining of static datasets, this tool focuses on seeing activity over time, and controlling the timeline so that a human can connect the dots. Here's a link to information on the concept behind the visualization style.

As for the screenshot, this video explains what you're looking at.

VISUAL ANALYTICS – DELIVERING ACTIONABLE SECURITY INTELLIGENCE

BlackHat 2015 - Las Vegas

Big Data is Getting Bigger - Visualization is Getting Easier - Learn How!
Dates: AUGUST 1,2 & 3,4
Location: Las Vegas, USA

SIGN UP NOW

OVERVIEW

Big data and security intelligence are the two very hot topics in security. We are collecting more and more information from both the infrastructure, but increasingly also directly from our applications. This vast amount of data gets increasingly hard to understand. Terms like map reduce, hadoop, spark, elasticsearch, data science, etc. are part of many discussions. But what are those technologies and techniques? And what do they have to do with security analytics/intelligence? We will see that none of these technologies are sufficient in our quest to defend our networks and information. Data visualization is the only approach that scales to the ever changing threat landscape and infrastructure configurations. Using big data visualization techniques, you uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods. Something that is increasingly referred to as hunting. The attendees will learn about log analysis, big data, information visualization, data sources for IT security, and learn how to generate visual representations of IT data. The training is filled with hands-on exercises utilizing the DAVIX 2014 live CD.

What's New?

The workshop has undergone quite some updates. Here are some highlights:

• A general overhaul of the data source section with a focus on calling out pitfalls and lesser known features of different sources. It also finally features the topic of threat feeds as an important data source.
• The log processing section now covers the CSVKit to help process data on the command line. SQL on CSV files anyone?
• Log management has been tightened up to contain the basics of log management and SIEM. The ELK Stack and Moloch are two tools we look at in depth .
• The discussion of LogStash has expanded with more information on how to run it, example configurations, and an in-depth exercise where we even use the LogStash APIs to query data via REST
• Big Data has gotten a revamp to a more up to date version with all the things that happened in the last year. This section discusses the new concept of the bid data lake for security also.
• If there is time and the class is interested, we will embark on a quick journey into data science with R, where we also run through an exercise.
• The visualization part has undergone some reorganization. Previously, visualization tools and visualization were separate sections. Now they are much more mixed and the visualization section itself has many more security examples to drive the concepts home.
• One of the visualization tools, Gephi is discussed in depth and we show how to go through a network traffic analysis, which will also show the short comings that many visualization tools have.
• When talking about dashboards, we will also look at the topic of the SOC dashboard.
• And finally the security visualization use-cases across the training have been increased in volume and detail. Have you tried to use an inverse count treemap for IDS signature tuning?

SYLLABUS

Day 1:

Log Analysis

• Data Sources Discussion such as PCAP, Firewall, IDS, Threat Feeds, etc.
• Data Analysis and Visualization Linux (DAVIX)
• Log Data Processing (CSVKit, ...)

Log Management and SIEM

• Log Management and SIEM Overview
• LogStash (ELK Stack) and Moloch
• Big Data - Hadoop, Spark, ElasticSearch, Hive, Impala

Day 2:

Visualization

• Information Visualization History
• Visualization Theory
• Data Visualization Tools and Libraries (e.g., Mondrian, Gephi, AfterGlow, Graphiti)
• Visualization Resources

Security Visualization Use-Cases

• Perimeter Threat
• Network Flow Analysis
• Firewall Visualization
• IDS/IPS Signature Analysis
• Vulnerability Scans
• Proxy Data
• User Activity
• Host-based Data Analysis

Sample of Tools and Techniques

Tools to gather data:

• argus, nfdump, nfsen, and silk to process traffic flows
• snort, bro, suricata as intrusion detection systems
• p0f, npad for passive network analysis
• iptables, pf, pix as examples of firewalls
• OSSEC, collectd, graphite for host data

We are also using a number of visualization tools to analyze example data in the labs:

• graphviz, tulip, cytoscape, and gephi
• afterglow
• treemap
• mondrian, ggobi

Under the log management section, we are going to discuss:

• rsyslog, syslog-ng, nxlog
• logstash as part of the ELK stack, moloch
• commercial log management and SIEM solutions

The section on big data is covering the following:

• hadoop (HDFS, map-reduce, HBase, Hive, Impala, Zookeper)
• search engines like: elastic search, Solr
• key-value stores like MongoDB, Cassandra, etc.
• OLAP and OLTP
• The Spark ecosystem

SIGN UP

TRAINER

Raffael Marty is one of the world's most recognized authorities on security data analytics and visualization. Raffy is the founder and CEO of pixlcloud, a next generation visual analytics platform. With a track record at companies including IBM Research and ArcSight, he is thoroughly familiar with established practices and emerging trends in big data analytics. He has served as Chief Security Strategist with Splunk and was a co-founder of Loggly, a cloud-based log management solution. Author of Applied Security Visualization and frequent speaker at academic and industry events, Raffy is a leading thinker and advocate of visualization for unlocking data insights. For more than 14 years, Raffy has worked in the security and log management space to help Fortune 500 companies defend themselves against sophisticated adversaries and has trained organizations around the world in the art of data visualization for security. Zen meditation has become an important part of Raffy's life, sometimes leading to insights not in data but in life.

I attended Visual Analytics Workshop last year at BlackHat and have gotten endless use from afterglow, neato, etc to make interesting visualizations.

Here is a short youtube video I put together, with attack data taken from Nginx logs:

(Music is by a local San Francisco band: Vetiver)

Visual Analytics, especially the exploration of data requires a scalable and flexible data backend. It is not uncommon that gigabytes, maybe even terabytes of data need to be queried for a specific analytics tasks. Furthermore, the more context around log data is available, the more expressive the data gets and the deeper the insight that can be discovered in the data. How can we gather all that context and combine it with both network-based, as well as host-based data? What are the data access requirements? How can we run data mining algorithms, such as clustering across all of the data? What kind of data store do we need for that? Do we need a search engine as a backend? Or a columnar data store?

I recently wrote a paper about the topic of a security data lake that is a concept of a data backend enabling a variety of processing and access use-cases. A short introduction to the topic is available as well.

Maybe at a later point in time, I will try to address the topic of data science and techniques, as well as workflows to make all that big data actionable. How do you take a terabyte of data and find actual insights? Just dropping that data into a network graph visualization is not going to help. You need a bit more to make that happen. But again, more on that later.

If you want to learn more about how to visualize and analyze terabytes of data, attend the Visual Analytics Workshop at BlackHat 2015 in Las Vegas.

Again, here is where you download the paper.

I just wrote a short blog post about how to get value and use out of your large SOC (security operations center) screens. I have seen too many SOCs that have CNN running on the screens and whenever customers or executives walk in, they quickly switch over to some kind of meaningless world maps that look kind of sexy, but have no security relevant purpose at all. From a security analyst's perspective, it is really not very useful to know from where across the globe most of the network packets are hitting our network. All those sexy looking attack maps really don't have that much value. Well, they can be sexy and provoke conversations. But there are ways to get more out of your expensive screens. Read how:

Dashboards in the Security Opartions Center (SOC)

I need your help!

I am looking through an old log file of a server with IP address 195.141.69.45 that I operated in 2002. The machine was running SuSE linux 6.0 (i386). It ran bind (9.1.0), sendmail (8.11.2), and was mainly used as a SMTP server to send mails for a number of users. I found these logs from my pf firewall that was in front of the box:

Oct 21 06:06:58.096785 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 61.215.160.253.53: 2520 [1au][|domain] (DF)
Oct 21 06:06:58.401472 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 210.175.50.163.53: 16979 [1au][|domain] (DF)
Oct 21 06:07:00.407500 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 210.175.50.162.53: 47817 [1au][|domain] (DF)
Oct 21 06:07:02.417637 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 61.215.160.254.53: 34849[|domain] (DF)
Oct 21 06:07:11.298946 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 204.123.2.19.53: 20792 [1au] MX? www.com.ar. (39) (DF)
Oct 21 06:07:11.477536 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 200.10.202.3.53: 21611 [1au] MX? www.com.ar. (39) (DF)
Oct 21 06:07:11.804894 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 200.68.93.195.53: 21263 [1au] MX? www.com.ar. (39) (DF)
Oct 21 06:15:19.667120 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 194.83.244.131.53: 60127 [1au] MX? sticksandstones.co.uk. (50) (DF)
Oct 21 06:15:19.691967 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 212.62.7.30.53: 58792 [1au] MX? sticksandstones.co.uk. (50) (DF)
Oct 21 06:20:00.844472 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 192.12.94.30.53: 29396 MX? about.com. (27) (DF)
Oct 21 06:20:00.859900 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 205.151.222.254.53: 14698[|domain] (DF)
Oct 21 06:20:01.021076 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 207.126.123.236.53: 13317 [1au] MX? about.com. (38) (DF)
Oct 21 06:20:01.070317 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 65.214.161.5.53: 14337 [1au] MX? mx13.crazed.com. (48) (DF)
Oct 21 06:21:02.121813 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 192.33.14.30.53: 34672 MX? poetic.com. (28) (DF)
Oct 21 06:21:02.297033 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 216.21.234.76.53: 25081 [1au] MX? poetic.com. (39) (DF)

As you can see, there are a number of DNS lookups. They span a total of about two weeks and ALL of them are using a source port of 1030. Why 1030? Why is it fixed all the time? Shouldn't the source port change?

There are other logs intermixed, where DNS lookups happen from other source ports:

Oct 13 20:46:03.915405 rule 184/0(match): pass in on xl1: 195.141.69.42.63994 > 193.192.227.3.53: 60676+[|domain]

Those are normal and I completely understand those. Any ideas why all these others have 1030 as a source port?

After 6 years, we finally have a new version of DAVIX available. It was about time to get this distro updated to modern standards. Ubuntu Server 13.10 as the base OS, github scripts to update your own systems, a Virtual Image you can download, new tools, etc.

CHECK IT OUT!

What is DAVIX?

DAVIX, a live CD for data analysis and visualization, brings the most important free tools for data processing and visualization to your desk. Avoid the hassle of installing an operating system or struggling to build and compile the necessary tools to get started with visualization. You can completely dedicate your time to data analysis.

Now go download it!

This is the last post in the series of links for the Visual Analytics Workshop. This section lists a few resources on security and visualization.

Looking for the rest of links for the workshop?

- Introductionary Links
- Data Sources
- Data Processing
- Log Management and SIEM
- Big Data
- Visualization
- Visualization Tools

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training

The section probably most anticipated during the Visual Analytics Workshop is probably the one where we get hands-on exposure with a number of visualization tools. We look at both actual tools and programming libraries. Here we go:

These are the tools and libraries we discuss during the workshop. Obviously, there are many more libraries and tools that I like to use in my daily work. But that will be a separate post at some point in the future.

Looking for the previous list of links for the workshop?

- Introductionary Links
- Data Sources
- Data Processing
- Log Management and SIEM
- Big Data
- Visualization

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training

Next up: Visualization, the sixth module of the Visual Analytics Workshop. Note, this section is mostly content from books and not related to many Web-based resources that could be linked here. Hence kind of a short collection.

Looking for the previous list of links for the workshop?

- Introductionary Links
- Data Sources
- Data Processing
- Log Management and SIEM
- Big Data

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training

Next up: Visualization Tools

I had the pleasure of attending the Underground Economy Conference this year in Bucharest, Romania. I ran a 90 minute workshop on big data and visualization. The workshop covered a number of tools, such as:



• Spark
• Elastic Search
• LogStash
• Moloch
• Packetpig
• Gephi
• Mondrian
• AfterGlow
• Treemap

Here are the slides from the workshop [Well, almost all of them. Having attended the workshop, you will have seen some more]. In addition, you can download the DAVIX image that you need for the exercise.

This next module of the Visual Analytics Workshop is about Big Data. And here are the links that show up during this section. Keep in mind that especially this module is constantly evolving and has in the last months. New sections and links will be added to the training class very frequently.

Looking for the previous list of links for the workshop?

- Introductionary Links
- Data Sources
- Data Processing
- Log Management and SIEM

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training