Among the blind, the squinter rules. Security visualization in the - - PowerPoint PPT Presentation

among the blind the squinter rules
SMART_READER_LITE
LIVE PREVIEW

Among the blind, the squinter rules. Security visualization in the - - PowerPoint PPT Presentation

Nov 11, 2023 235 likes •771 views

Among the blind, the squinter rules. Security visualization in the field About me Wim Remes .Ernst and Young Belgium (ITRA FSO) .Incident Response/Analysis .Security Monitoring (SIEM) .Security Management .Eurotrash podcast .InfosecMentors

slide-1
SLIDE 1

Among the blind, the squinter rules.

Security visualization in the field

slide-2
SLIDE 2

About me

Wim Remes .Ernst and Young Belgium (ITRA FSO)

.Incident Response/Analysis .Security Monitoring (SIEM) .Security Management

.Eurotrash podcast .InfosecMentors

@wimremes on twitter wremes-at-gmail-dot-com

slide-3
SLIDE 3

Disclaimer

The opinions and ideas expressed in this talk are my own and are not endorsed by any corporate entity

  • r church.
slide-4
SLIDE 4

Agenda

  • 1. tools can [save|kill] your day
  • 2. visualization hall of fail
  • 3. please your audience
  • 4. tips & tricks
  • 5. Let’s get to work
slide-5
SLIDE 5

Tools can [save|kill] your day

  • 1-
slide-6
SLIDE 6

What tools can I use ?

cool kids use this (not!)

slide-7
SLIDE 7

What tools can I use ?

  • Desktop
  • Server
slide-8
SLIDE 8

Security tools will help ...

PS : export to CSV works well ... try it for a 5000+ host network ;)
slide-9
SLIDE 9

credit where credit is due ...

slide-10
SLIDE 10

this is going in the right direction...

slide-11
SLIDE 11

Open source it is then ...

grep sed awk perl ...

http://www.secviz.org kudos to @zrlram

slide-12
SLIDE 12

visualization hall of fail

  • 2-
slide-13
SLIDE 13

PIE

It’s what’s in your face

slide-14
SLIDE 14

whoa, I take the biggest piece !

slide-15
SLIDE 15

Even the best can fail...

slide-16
SLIDE 16

sometimes however, they rock ...

slide-17
SLIDE 17

to explain simple stuff ;-)

slide-18
SLIDE 18

“if bullet points are the obvious killers, pie charts are shurikens”

slide-19
SLIDE 19

3D ?

slide-20
SLIDE 20

failing in style ...

slide-21
SLIDE 21

playing hide and seek ?

slide-22
SLIDE 22

we have to raise the bar

  • r maybe not ...
slide-23
SLIDE 23

please your audience

  • 3-
slide-24
SLIDE 24

Changing the tune keeps people engaged

picture by tochis :http://www.flickr.com/photos/tochis/
slide-25
SLIDE 25

Many eyes see different things

picture by tochis :http://www.flickr.com/photos/tochis/
slide-26
SLIDE 26

you’re the designer

slide-27
SLIDE 27

who’s that for ?

Management Technical Historical Comparative Supporting Decisions & Business Objectives Clear & Concise Actionable ! (Near) Real Time More complex Facilitating the job Actionable!

42

slide-28
SLIDE 28

tips & tricks

  • 4-
slide-29
SLIDE 29

Zen master of data visualization

Edward Tufte

data can be beautiful! data should be beautiful!

slide-30
SLIDE 30

Dashboard design guru

Stephen Few

“The sad thing about dancing bearware is that most people are quite satisfied with the lumbering beast.”

Alan Cooper, 1999, the inmates are running the asylum.
slide-31
SLIDE 31

sparklines (aka datawords)

slide-32
SLIDE 32 courtesy of ZoneAlarm (by Checkpoint)

5 6 7 8 9 10 11 12 13

Infographs

slide-33
SLIDE 33

choose your chart wisely

http://www.flickr.com/photos/amit-agarwal/3196386402/
slide-34
SLIDE 34

Get data from external sources

  • osvdb.org
  • datalossdb.org
  • various industry reports
  • Verizon DBIR
  • EY GISS
  • Trustwave, McAfee, Symantec, ...
  • virustotal.com
  • cvedetails.com

context creates clarity

slide-35
SLIDE 35

让我们作的更好

5 4 3 2 1 25 50 75 100 Vulnerabilities by Severity Level

3D?

compared to ? last year? last month?

(let’s make things better)
slide-36
SLIDE 36

Messy Dashboards (1/5)

slide-37
SLIDE 37

network status

Messy Dashboards (2/5)

slide-38
SLIDE 38 375 750 1125 1500 12:00 12:10 12:20 12:30 12:40 12:50 13:00

Events/Second

Messy Dashboards (3/5)

slide-39
SLIDE 39

Top attackers 10.10.10.10 192.168.10.234 172.30.12.15 8.8.8.8 Top targets 172.16.12.30 172.16.12.15 172.16.12.230 172.16.12.120

Messy Dashboards (4/5)

slide-40
SLIDE 40 1000 2000 3000 4000 9:00 10:00 11:00 12:00 13:00 Local Network - Inbound bytes

Messy Dashboards (5/5)

slide-41
SLIDE 41

network status

375 750 1125 1500 12:00 12:10 12:20 12:30 12:40 12:50 13:00

Events/Second

worms portscans failed logins FTP 15 30 45 60

Major Events

Windows Unix Network

Top attackers 10.10.10.10 192.168.10.234 172.30.12.15 8.8.8.8 Top targets 172.16.12.30 172.16.12.15 172.16.12.230 172.16.12.120

1000 2000 3000 4000 9:00 10:00 11:00 12:00 13:00 Local Network - Inbound bytes

server health

slide-42
SLIDE 42

3,1415926535897932384626433832

slide-43
SLIDE 43

US NL US CN BE US DE

TimeNet VolumeDrive EuroAccess RoadRunner Great Lakes Comnet ISPSYSTEM-AS KEYWEB AS

Blink...Understand

slide-44
SLIDE 44

DE BE NL CN US

Ok, we can still say it with pie

slide-45
SLIDE 45

let’s get to work

  • 4-
slide-46
SLIDE 46

Davix | gltail

http://dataviz.com.au/blog/Visualizing_VOIP_attacks.html

ruby | real time | logs http://www.fudgie.org/

slide-47
SLIDE 47

Davix | afterglow

credit: David Bernal Michelena http://www.honeynet.org/challenges/2010_5_log_mysteries
slide-48
SLIDE 48

(extra)

http://www.secviz.org/content/top-ssh-brute-force-attackers

perl | chart director

slide-49
SLIDE 49

Google Charts API

http://code.google.com/apis/chart/

http://search.cpan.org/dist/URI-GoogleChart/

slide-50
SLIDE 50

jquery libraries

http://jquery.com/ http://omnipotent.net/jquery.sparkline/ http://www.jqplot.com/

slide-51
SLIDE 51

Conclusions

  • We need data standardization badly
  • Understand your data
  • We need to think
  • utside the box
  • There’s more to visualization

than pie charts

  • There’s tools out there:

use them wisely

slide-52
SLIDE 52

Thank you

wremes@gmail.com - @wimremes