With network intrusion detection systems and other types of security data gathering tools, the average company ends up amassing large quantities of security data. But how to make sense
What is the concept behind security data visualization?
Conti: Security data visualization is a technique whose time has come. There's no shortage of security appliances and sensors, and each of those generates a tremendous amount of data. The data can be overwhelming because there are only a limited number of experts who can make sense of it. There are things humans are inherently good at, such as recognizing patterns, and there are things that machines are good at, like matching exact strings. Where computers are bad, that's where visualizations come in and help people make sense of the sea of data that they are confronted with.
People are wired to think visually and have a high bandwidth of visual recognition capability that we can use to communicate. A picture is worth a thousand words. If you can take this textual data or binary data and convert it to insightful pictures, you can then use it to communicate your message to other analysts, to your customers or to senior decision makers.
What is the process of security data visualization?
Conti: Typically, you have a large set of data that you want to find insight in. You combine that with a set of "problems" or tasks that you want to accomplish. You have this data and these tasks that you have no current solution for and no way to address. The process of visualization is taking the data and presenting it graphically in an insightful way. That's also the hard part.
Can you give some examples?
Conti: The best example and the lowest end of information visualization is with Excel graphics. You take a table of data and it's very hard to pick out what's biggest and smallest, to see a trend over time, but a simple graph will make things pop out at you. There's been active research going back 20 to 30 years, beyond Excel-class graphics like pie charts and bar graphs, and there's 200, 300 techniques that can be applied to take what you see to a higher level. It may allow you to compare 10 different types of variables at one time versus just a pie chart, which is far more limited. You're taking these visualization approaches -- mapping the data to the visual display and providing these windows into what you're looking at.
You've developed this program, RUMINT. Can you describe it for us?
Conti: It is a bit of a joke -- it comes from intelligence community slang. People know SIGINT for signal intelligence, HUMINT for human intelligence, and IMINT for imagery intelligence like satellite images. RUMINT is for rumor intelligence. The idea is that when you're trying to help people solve a problem, you draw a box around what you're going to address. It addresses network data and packets of data. RUMINT keeps an eye on network packets of data.
How is it different from other tools that do the same thing?
Conti: The best-in-breed tool is WireShark, formerly Ethereal. It's great but it's primarily textual. I wanted to see if could I take that same packet-level data and show it in a graphic, insightful way. That's what RUMINT does -- it loads the packet capture files and allows you to look at them with different views. Things will jump out that would be very hard to see in a textual view.
RUMINT is an open source tool and it's free for people to use and experiment with. I've put a lot of effort into making it usable. When building prototypes, there's a long road between creating something that only the person who wrote it can use to something that people can actually download, install and use. It allows you to see different types of activities that are impossible to see using textual tools, such as different types of different values in the packets changing over time.
With RUMINT, it's a good tool, but I won't claim it will cure cancer. It's a step in applying visualization to solve different problems.
How does one acquire security data visualization tools?
Conti: You can buy someone else's solution that has visualization capabilities -- Arcsight comes to mind as one tool. You can also develop your own tools that you can use for visual approaches. I've received feedback as developing RUMINT and one person compared it to being as fun as playing a video game. It's an important goal. If you find the right tool, your people actually want to look at the data and find it engaging and fun versus tedious and painful. Whether you're using someone else's tool at an SMB or building your own tool at a larger company, that's the same goal -- find it to be engaging and insightful, not just eye candy.
What industries can security data visualization apply to?
Conti: It's broadly applicable across sectors, but especially ones that require heavy analysis of data, particularly larger amounts of data where they're bursting at the seams and current tools can be overwhelmed. It's something that requires a human in the loop -- if they have machine solutions, visualization won't really help unless they're trying to find some new insight into the data. If they have successful machines, they won't need it and will save the humankind for scenarios or questions that require a human's intelligence.
Do you see opportunities for value-added resellers and systems integrators to use security data visualization?
Conti: Visualization in general is very good for communicating a corporate message and problem. If you're trying to show distributed denial-of-service (DDoS) attacks, you can show a series of images and say, "This is what your network looks like, this data shows security problems." I think you could use visualization to communicate in an image something that will be easily interpreted by the people you're trying to communicate to. RUMINT can do that to a degree, but I think visualization in general can help you sell to customers and senior decision makers.
RUMINT can do it for packet data. One RUMINT user told me that they used it in a hospital and one machine was misbehaving. They used RUMINT to create a picture of what the machine was doing as opposed to an uninfected machine and were able to show the user why their machine was being taken off the network.
What type of customer can benefit the most from security data visualization?
Conti: That would be MSPs [managed service providers]. As an MSP, there's a security threat that you're trying to make your customers aware of. Visualizations can be used for that. RUMINT can be part of it, but full visualization is the best approach.
This was first published in December 2007
This was first published in December 2007