PRAISE FOR APPLIED SECURITY VISUALIZATION “Ifwe subscribe to the sage advice ofConfucius,‘What I hear,I forget.What I see, Iremember.What I do,Iunderstand,’then Raffael Marty’s Applied Security Visualizationwill surely bring us much wisdom.Marty embraces the security visualization discipline with panache,fluid grace,and exquisite detail...a must read forsec vis experts and novices alike.” —Russ McRee,HolisticInfoSec.org “Collecting log data is one thing,having relevant information is something else.Theart to transform all kind oflog data into meaningful security information is the core ofthis book.Raffy illustrates in a straight forward way,and with hands-on examples,how such a challenge can be mastered.Let’s get inspired.” —Andreas Wuchner,Novartis “This book starts with the basics ofgraphing and visualization and builds upon that with many examples oflog analysis,compliance reporting,and communicating security information.I recommend this book for anyone with the task ofanalyzing volumes of security and compliance data who must then report their findings in a clear and concise manner.” —Ron Gula,CTO,Tenable Network Security “Raffael Marty truly shows you the ropes to security visualization from the very basics to complete case studies.The broad range ofuse-cases and the wealth ofhands-on examples throughout the book continuously inspire you to new visualization applica- tions in your domain ofcompetence.” —Jan P.Monsch,Senior Security Analyst “Amazingly useful (and fun to read!) book that does justice to this somewhat esoteric subject—and this is coming from a long-time visualization skeptic! What ismost impressive,is that this book is actually ‘hands-on-useful,’not conceptual,with examples usable by readers in their daily jobs.Chapter 8 on insiders is my favorite!” —Dr.Anton Chuvakin,ChiefLogging Evangelist,LogLogic This page intentionally left blank Applied Security Visualization This page intentionally left blank Applied Security Visualization Raffael Marty Upper Saddle River,NJ • Boston• Indianapolis • San Francisco New York • Toronto •Montreal • London•Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City v Many ofthe designations used by manufacturers and sellers to distinguish their products Editor-in-Chief are claimed as trademarks.Where those designations appear in this book,and the publisher Karen Gettman was aware ofa trademark claim,the designations have been printed with initial capital Acquisitions Editor letters or in all capitals. Jessica Goldstein The author and publisher have taken care in the preparation ofthis book,but make no expressed or implied warranty ofany kind and assume no responsibility for errors or Senior Development omissions.No liability is assumed for incidental or consequential damages in connection Editor with or arising out ofthe use ofthe information or programs contained herein. Chris Zahn The publisher offers excellent discounts on this book when ordered in quantity for bulk Managing Editor purchases or special sales,which may include electronic versions and/or custom covers and Kristy Hart content particular to your business,training goals,marketing focus,and branding interests. For more information,please contact: Project Editor Andy Beaster U.S.Corporate and Government Sales (800) 382-3419 Copy Editor [email protected] Keith Cline For sales outside the United States please contact: Indexer International Sales Erika Millen [email protected] Proofreader Jennifer Gallant Publishing Coordinator Romny French Multimedia Developer Dan Scherf Book Designer Chuti Prasertsith Composition Nonie Ratcliff Graphics Tammy Graham Laura Robbins Library ofCongress Cataloging-in-Publication Data: Marty,Rafael,1976- Applied security visualization / Rafael Marty. p.cm. Includes index. ISBN 0-321-51010-0 (pbk.:alk.paper) 1. Computer networks—Security measures 2. Information visualization.3. Computer security. I.Title. TK5105.59.M369 2008 005.8—dc22 2008023598 Copyright © 2009 Pearson Education,Inc. All rights reserved.Printed in the United States ofAmerica.This publication is protected by copyright,and permission must be obtained from the publisher prior to any prohibited reproduction,storage in a retrieval system,or transmission in any form or by any means, electronic,mechanical,photocopying,recording,or likewise.For information regarding permissions,write to: Pearson Education,Inc Rights and Contracts Department 501 Boylston Street,Suite 900 Boston,MA 02116 Fax (617) 671 3447 ISBN-13:978-0-321-51010-5 ISBN-10: 0-321-51010-0 Text printed in the United States on recycled paper at RR Donnelley,Crawfordsville, Indiana. First printing August 2008 Contents Preface xiii Acknowledgments xix About the Author xxiii Chapter 1 Visualization 1 What Is Visualization? 2 Why Visualization? 3 Visualization Benefits 5 Security Visualization 6 Security Visualization’s Dichotomy 7 Visualization Theory 8 Perception 9 Expressive and Effective Graphs 11 Graph Design Principles 13 Information Seeking Mantra 18 Summary 19 Chapter 2 Data Sources 21 Terminology 22 Security Data 23 Common Problems 24 Incomplete Information 25 Source/Destination Confusion 26 vii CONTENTS Packet Captures 27 Traffic Flows 30 Collecting Traffic Flows 32 Aggregating Traffic Flows 35 Clustering Traffic Flows 36 Anonymizing Traffic Flows 36 Firewalls 37 Intrusion Detection and Prevention Systems 40 Passive Network Analysis 43 Operating Systems 45 Real-Time Operating System Information 46 Operating System State Information 49 Operating System Log Problems 53 Applications 55 Web Proxy 56 Mail 58 Databases 60 Configurations 62 Summary 64 Chapter 3 VisuallyRepresenting Data 65 Graph Properties 66 Data Types 66 Color 68 Size,Shape,and Orientation 69 Chart Axes 69 Simple Charts 70 Pie Chart 71 Bar Chart 72 Line Chart 73 3D Bar Charts 74 Stacked Charts 75 Stacked Pie Chart 76 Stacked Bar Chart 77 Stacked Line Chart 78 Histograms 78 Box Plots 80 Scatter Plots 82 Parallel Coordinates 85 viii CONTENTS Link Graphs 87 Maps 93 Treemaps 96 Three-Dimensional Views 100 Three-Dimensional Scatter Plots 101 Three-Dimensional Link Graphs 103 Interaction and Animation 104 Interaction 104 Animation 105 Choosing the Right Graph 109 Challenges 115 Summary 117 Chapter 4 From Data to Graphs 119 Information Visualization Process 119 Step 1:Define the Problem 121 Step 2:Assess Available Data 122 Step 3:Process Information 124 Adding Additional Data 126 Filtering Log Entries 127 Aggregation 128 Data Processing Challenges 129 Step 4:Visual Transformation 132 Data Mapping 132 Size and Shape 137 Color 140 Step 5:View Transformation 143 Aggregation 144 Step 6:Interpret and Decide 146 Tools for Data Processing 150 Excel,OpenOffice,and Text Editors 151 Regular Expressions 151 UNIX tools 152 Perl 155 Parsers 157 Other Tools 158 Summary 158 ix