Upgrade to Pro — share decks privately, control downloads, hide ads and more …

When a Picture is Worth a Thousand Network Pack...

Data Intelligence
June 28, 2017
1
240

When a Picture is Worth a Thousand Network Packets and System Logs

Awalin Sopan FireEye Inc
Audience level: Intermediate
Topic area: Misc

Description

A typical Security Operation Center (SOC) employs security analysts who monitor security log from heterogeneous devices. The analysts identify whether there is a security threat and how to respond to that threat by analyzing that data. Visualizing this large-scale data to a succinct human digestible form can reduce their cognitive load and enable them to operate more efficiently.

Data Intelligence

June 28, 2017
Tweet

More Decks by Data Intelligence

See All by Data Intelligence
Building a Gigaword Corpus: Data Ingestion, Management, and Processing for NLP
dataintelligence
1
590
Data Version Control: Tool for Iterative Machine Learning
dataintelligence
0
990
Pomegranate: Fast and Flexible Probabilistic Modeling in Python
dataintelligence
0
420
Machine Learning & Election Campaigns
dataintelligence
0
300
Visual Pipelines for Text Analysis
dataintelligence
3
1.2k
ENCASE
dataintelligence
0
130

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
51
13k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Typedesign – Prime Four
hannesfritz
39
2.4k
Happy Clients
brianwarren
97
6.7k
Teambox: Starting and Learning
jrom
132
8.7k
Navigating Team Friction
lara
183
14k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Bash Introduction
62gerente
608
210k

Transcript

  1. Awalin Sopan @awalinsopan Senior Software Engineer, Analysis Team, FireEye, Inc

  2. Over 200 attacks on major industrial control systems in 2013.

    “Cyber threat is one of the most serious economic and national security challenges we face as a nation”- White House Press release, May 29, 2009

  3. FireEye Report 2014

  4. Cyber Attack Lifecycle FireEye Report 2017

  5. None

  6. DEFENSE AGAINST CYBER ATTACK: Role of a Human (Cyber Analyst)

    • Detect intrusion • Recommend solution • Threat insight • Gather evidence • Prevent intrusion • Find vulnerability in the system • Block suspected traffic • Forensic analysis: • Create rules to detect future attack • Nature of attack

  7. ▪Multivariate: ▪Packet Capture/TCP dump, (ip, port, pkt size, time, etc.

    multiple features) from network sensors. ▪Logs ▪ OS ▪ Servers ▪ Applications ▪ Firewalls SECURITY DATA: DATA CAPTURED THROUGH SENSORS
  8. None

  9. ▪Relational: ▪Flow data through Network: can be collected from routers:

    connection between IPs, hosts. SECURITY DATA: DATA CAPTURED THROUGH SENSORS
  10. None
  11. None
  12. None

  13. ▪Temporal: ▪Log Files/Activity/Events: Host/endpoint events over time SECURITY DATA: DATA

    CAPTURED THROUGH SENSORS

  14. • Communicate findings • Overview • Analyze: • Compare and

    Relate • Find trend/ pattern • Predict • Find anomaly WHY VISUALIZATION

  15. VISUAL ANALYTICS: INTERACTIVE VISUAL INTERFACE FOR DECISION MAKING

  16. Visual Information Seeking “Mantra” -Ben Shneiderman • Overview data using

    charts, dashboard, tables: see all relevant data • Find pattern, trend, outlier, correlation • Sort by rank • Group similar features • Zoom and filter: select only interesting ones • Details on Demand: details of the selected alert

  17. DATA -> VISUALIZATION Multivariate Packet capture, tcp dump from network

    sensors, server logs, operating system logs, firewall logs: Host based Intrusion Detection System. Data with multiple variables like ip, port, packet size, time, etc. Table, scatter plot, bubble chart, parallel coordinate Relational/ Hierarchical Network data flow from routers, connection between ips, hosts. Top-down hierarchy of the system: Network Based Intrusion Detection System. Node-link diagram, matrix diagram. Pie chart, treemap. Tempor al Log file, activity events over time Line chart, time series, timeline, histogram, sparklines Designing the User Interface 4th Edition: Ben Shneiderman and Catherine Plaisant

  18. NETWORK

  19. VAST 2012 Challenge Data: 2 days of Flow data Nodes

    sized by in-degree Sized by in-degree
  20. None

  21. Color coded: showing only top 25% strong links Links color

    coded by strength: red low, green high

  22. Color coded: showing only top 10% strong links Filtered out

    weak links to declutter network

  23. Color coded: showing only top 5% strong links DDoS attack

    ?

  24. wikipedia DDoS attack

  25. CONTENT OF PACKETS

  26. Network Packet Sensing Rule

  27. Network Packet

  28. None

  29. PACKET LABELING

  30. None
  31. None

  32. Distraction ! Real target!

  33. PORT ANALYSIS

  34. Target IP Source IP

  35. Target IP Source IP

  36. None

  37. EVENT LOG

  38. System events log

  39. Event timeline

  40. Details on demand

  41. TIME SERIES OF EVENTS

  42. None

  43. Events in Network (rendered using Grafana) ANOMALY DETECTION Login attempts

    in the system

  44. MODES OF OPERATIONS Put it all together in analysts workflow:

    • Contextual views • Dashboard for overview • Visual analytics with multiple coordinated views • Situational awareness for immediate assessment

  45. DASHBOARDS

  46. Example: SPLUNK

  47. None

  48. MULTIPLE COORDINATED VISUALIZATIONS

  49. TempoViz

  50. Low priority High priority Mid priority Alerts aggregated over time

  51. SITUATIONAL AWARENESS

  52. Situation awareness is the ability to : •assess data •evaluate

    options •make decisions in a timely manner.

  53. VIZSEC: WORKSHOP ON SECURITY VISUALIZATION

  54. CYNOMIX GOVE ET A.L, VIZSEC 2014 Find similar malwares

  55. Visualizing the Insider Threat http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F0731 2772.pdf%3Farnumber%3D7312772 Interactive PCA of user

    activity Anomalous cluster

  56. • (Machine + Human) > Machine || Human. • Bridge

    the gap btwn security experts & dataviz experts. • Provide contextual clues to the analysts. • Integrate visual analytics in analyst workflow. • Make room for scalability and efficiency. • Avoid visual representations requiring lot of explanation. • Choose the network layout that avoids edge crossing or node overlapping. • Aggregation of data should be obvious. TAKE AWAY [email protected]