Q&A: Security Visualization

As chief security strategist and director of application product management, Raffael Marty is customer advocate and guardian – expert on all things security and log analysis at Splunk. Currently he uses his skills in data visualization, log management, intrusion detection, and compliance to solve problems and create solutions for Splunk customers. His passion for visualization is evident in the many presentations he gives at conferences around the world and his book: “Applied Security Visualization”. In addition, Raffy is the author of AfterGlow, founder of the security visualization portal, and contributing author to a number of books on security and visualization.

Security visualization has been getting quite a lot of press in the past year. Does it mean that it’s really become a mainstream practice?
I don’t think so. There is a continuum of problems. A lot of people are still troubled with identifying the data they should collect. Once that is done, they are struggling with actually collecting it. In this realm, a lot of people are making the mistake to go and find data, instead of defining their use-cases and then identifying what data they need to address the use-cases. So, once the data is collected, people are struggling with what to do with it. A lot of people are using their data for investigations, from operations use-cases (e.g., system failures) to security (forensic investigations), etc. Only a minority is using their IT data to actually pro-actively monitor the environment.

People don’t really understand their logs. They don’t understand what logs to collect and when collected, they don’t really know what’s in them and what things mean. Many products are offering textual tools. Only a few added some visual aids. And if they added visual aids, they are very primitive: charts (pies, line charts, bar charts), dashboards that combine those charts, and static reports. To do an actual investigation and to gain situational overview of an environment, we need much richer visualizations and interactive ways to explore the data. Splunk, for example, offers interactive visualizations.

Based on your experience, what would your estimate be on the number of security professionals using security visualization nowadays?
Not very many. See also my answer from above: A lot of people don’t even understand their data and do not have the data collected. Only those who satisfy both of these criteria are candidates to actually visualize their data. A number that might give an indication is that of the downloads of the DAVIX (davix.secviz.org) live CD. We built a CD that contains around 25 open source visualization tools, readily installed on the CD. We had over 800 downloads so far.

In your opinion, what are the areas in which security visualization is indispensable?
Any place that generates security data and needs to:

  • Explore and discover the data available, either for forensic purposes or for analytical reasons
  • Communicate the contents
  • Gain situational awareness
  • Have a way to make better decisions based on the data.

Each of these cases needs visualization to facilitate the process of understanding and managing the data. Actual use-cases encompass, for example: insider threat, compliance, and perimeter threat uses.

What are the security visualization tools that you personally use?
Unfortunately, there is no one tool that would satisfy all of my needs. To have the most flexibility, I built my own tool called AfterGlow to address a set of use-cases. The tool helps to generate link graphs and gives the user a lot of freedom in doing so. The second most used tool is a treemap visualization tool called Treemap.

What kind of development can we expect in the upcoming versions of security visualization tools? What new features would you like to see?
I hope to see some more visualization tools in the close future. If I could write a wish list, it would have the following content:

  • Highly interactive
  • Linked views and dynamic queries, i.e., there are multiple views that show the same data, but with different graphs. If a selection is made on one chart, the other chart is automatically updated.
  • Highly scalable
  • Standardized interfaces for data acquisition and no need for built-in parsers. (Parsing should be dealt with prior to getting the data into the tool)
  • A rich set of visual displays and graphs.

How long did it take you to write “Applied Security Visualization” and what was it like? Any considerable difficulties?
It took me 2 years from the first contact with the publisher about the topic to the published book. I wrote a blog entry about the process. The biggest challenge was that I had at least two chapters that I didn’t really know how to go about visualizing the topic, namely insider threat and compliance. It took me a significant amount of time to do all the research for those topics and write up a cohesive process. Interestingly enough, a lot of reviewers like the insider threat chapter the best.
Another problem that I encountered every now and then is that I didn’t have access to a lot of data to visualize. Especially, again for compliance and insider threat, I didn’t have real data sets to work with.

What are some of the interesting facts you discovered while researching for this book?
1. It is hard to generate the data needed for visualization. Even if an environment exists and access is available, the configuration of each of the data sources can be very hard.
2. There are no good visualization tools that could help quickly generate images.
3. There is definitely a need for use-case driven security visualization. A lot of people struggle with huge amounts of IT data and need to have tools to help them.
4. There is a need for a new discipline, secviz, which combines security and visualization. Currently, these disciplines are handled independently, instead of as one discipline.

What are your future plans? Any exciting new projects?
I am going to start teaching training around the topics of the book. I will also be speaking at a number of conferences on the topic of security visualization. I will keep working on DAVIX, the live CD for visualization tools to make security visualization available for bigger groups.