Visualization is not a new concept to me- I’ve been turning data into various types of trends, charts, graphs, maps and 3D images for years. But, the concept of viewing and interpreting security and network data through visualization is relatively new- and I think you’re going to be seeing a lot more of this in the coming months and years.
One of the things I have the… pleasure… of doing, is consulting with various manufacturers to see how they can make their products and interfaces more usable. Specifically, I try to help them understand what to add or change in order to allow customers to interpret and use the data that’s being delivered to them. How can they take all this stuff, make sense of it, and correlate it to events on the network.
A lot of times that means finding ways to map data sources to known devices on the network, and parsing out what’s expected vs unexpected, or anomalous. We do this for WAN and LAN-based data, and for sources within the network, the DMZ and externally. It’s a lot of work and still not as wizard-like as we might hope.
But, I think I’ve just found my new favourite toy- and it came via Splunk. When I saw it, I just had to have it. :)
I didn’t get far with the Splunk demo at RSA, but totally made up for it at Interop, by way of an extremely knowledgeable woman – Christina Noren, the VP of Product Management there at Splunk. Talk about someone who knows her stuff. I was really amazed with what this little log search engine can do. And, add to that the overview of visualization I got from Raffy Marty, Chief Security Strategist, and I was totally blown away. With Splunk, you can quickly gain insight into the events happening on your network, and the visualization tools give you a unique and easy-to-interpret representation of the data.
The two together build a foundation for some great security tools, and ways to visualize data and trends for everything from PCI compliance to Change Management to Phishing attacks… and more.
Why is this important? I’m always looking for new ways to present data to customers. We can throw all the gadgets we want to on the network, but ultimately someone (not someTHING) needs to know what’s going on– especially in a world now where people are being held personally responsible for security- or lack there of. There’s a lot of data and events, and we need a way to turn that information into something useable.
Go forth and play… You can download Splunk (yes, for free) at Splunk.com. Check out the blogs and SplunkBase to get more cool tools and plug-ins. In a couple of months, Raffy’s new book Applied Security Visualization will be released and includes more in-depth information on using visualization in your environment. I strongly suggest you read it. Need more reasons to check it out? They have the BEST t-shirts ever…
Expect to see more from me on this topic, and some tips and tricks for Splunk…
# # #
I discovered this book a few weeks back in the local Big Chain Bookstore, and found it to be quite intersting. It is: Security Data Visualization
Graphical Techniques for Network Analysis
by Greg Conti from No Starch Press. It has some interesting methods of visualization for the data you get from different security tools and most are open source. Thought you might be interested in checking it out. Please keep up the great blog! :)