NEXThink - Visualizing Endpoint Activity

NEXThink is a small Swiss startup which sells a solution in the security/visualization space. They are deploying an agent on the endpoints (machines) and record network activity from them (at least that's whay I understood). The network activity is then visualized with parallel coordinates and starfields.
I was reading a paper about some of the visualization approaches they are taking. To summarize a couple of interesting points from the paper:

  • In order to visualize a huge amount of connections, they are using hierarchies for the attributes to summarize them. You can on demand expand those. The collapsing and expanding of the attributes is done automatically based on the number of lines on the screen. I thought this is a pretty interesting idea.
  • To visualize activity from hosts, one of the methods they are using is parallel coordinates with user, application, source host, target host, and target port in the graph. They omit time as it would clutter the graph. I wonder whether they have the capability to show time anyways and aggregate by hour, day, etc. That would be interesting.
  • To visualize activity with regrads to time, they are using starfields. I have heard other names for this type of visualization. Advizor calls them time-series, which is a bad term in my opinion as it alludes to a type of data.
  • What I was a bit confused about was the use of the term alarm in the paper. I am not sure if the author just meant to talk about the connections or there is some kind of a sub-system that actually generates alarms. I guess the latter because he mentions anomaly detection very briefly. I would be interested to read more about that.

The next thing I hope to see from them is that they post some graphs here!

NEXThink - Visualizing Endpoint Activity

In the parallel-coordinates, we omit time for two main reasons: 1) as you said, representing time would clutter the graph 2) in order to be able to display a big number of connections, we abstract them into "signatures" as described in the mentioned paper. However, we record time for every single connection and we are able to display the activity within a specific time slot.

Actually, the name "starfield" came from the first design of the visualization a long time ago that looked like a star field (cf. papers by Ben Shneiderman). However, the visualization has been modified over time but the name remained ;-)

Regarding the alarms: yes we do have security alarms. One part of the solution is data visualization but the second part is data analysis in order to provide visibility of activity within its risk context (anomalies, critical connections/applications, high privileged users). This analysis is done by an engine able to generate alarms thanks to several artificial intelligence techniques. The alarms ranges from simple alarms like "denied application" or "IM application" to more sophisticated ones such as "abnormal user behavior", "silent port scanning" or "abnormal application behavior (port)". These are just examples of alarms and of course not an exhaustive list. ;-)

I'll post some screenshots soon!