Applied Security Visualization

Author: Raffael Marty
Publisher: Addison Wesley Professional
ISBN-10: 0-321-51010-0
ISBN-13: 978-0-321-51010-5
Pages: 552
Publisher Book Home: http://www.informit.com/store/product.aspx?isbn=0321510100
Safari (electronic version): http://safari.informit.com/9780321585530
Marketing Material: Book Flyer
Sample Chapter: Download Chapter 5
Video Interview: Interview with Raffael Marty.
Latest version of DAVIX: http://82.197.185.121/davix/release/davix-latest.iso.gz


“Collecting log data is one thing, having relevant information is something else. The art to transform all kinds of log data into meaningful security information is the core of this book. Raffy illustrates in a straight forward way, and with hands-on examples, how such a challenge can be mastered. Let's get inspired.”
Andreas Wuchner, Head of Global IT Security, Novartis

Use Visualization to Secure Your Network Against the Toughest, Best-Hidden Threats

As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today’s state-of-the-art data visualization techniques, you can gain a far deeper understanding of what’s happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods.
In Applied Security Visualization, leading network security visualization expert Raffael Marty introduces all the concepts, techniques, and tools you need to use visualization on your network. You’ll learn how to identify and utilize the right data sources, then transform your data into visuals that reveal what you really need to know. Next, Marty shows how to use visualization to perform broad network security analyses, assess specific threats, and even improve business compliance.
He concludes with an introduction to a broad set of visualization tools. The book’s CD also includes DAVIX, a compilation of freely available tools for security visualization.
You'll learn how to:

  • Intimately understand the data sources that are essential for effective visualization

  • Choose the most appropriate graphs and techniques for your IT data

  • Transform complex data into crystal-clear visual representations

  • Iterate your graphs to deliver even better insight for taking action

  • Assess threats to your network perimeter, as well as threats imposed by insiders

  • Use visualization to manage risks and compliance mandates more successfully

  • Visually audit both the technical and organizational aspects of information and network security

  • Compare and master today¿s most useful tools for security visualization


Contains the live CD Data Analysis and Visualization Linux (DAVIX). DAVIX is a compilation of powerful tools for visualizing networks and assessing their security. DAVIX runs directly from the CD-ROM, without installation.

Errata

Here are a few typos and errors that I have found or others have found in the book. Thanks for reporting them (either via email to me or as a comment here).

  • Inside cover: My name is mis-spelled (Rafael instead of Raffael)

  • Page 15, Figure 1-7: Similarty should be Similarity in the top right of the figure.

  • Page 26: Says 172. It should say 127.

  • Page 69, under Chart Axes section: "... the vertical axis is generally the y-axis". This should be the z-axis.

  • Page 91, Figure 3-22: Arrow from "web" to "10.0.0.252" should be going the other direction.

  • Page 162 at the very top: It should mention that there are four, not three subcategories.

  • Page 192: line 13 in example: It should be a tilde ~ instead of the [td].

  • Index: MADC should be MACD.

Press / Related Material


Past events

Additional Visualization Tools

Here is a list of visualization tools. This list is a continuation of what you can find in Chapter 9 "Visualization Tools":

Sample Figures

gltail: cisco asa parser

worked up a cisco asa parser for gltail ( http://www.fudgie.org/ ) to do firewall movies specific to cisco.

I'll submit to the ruby project for gltail, but if anyone wants it email me at jeff@jeffbryner.com.

Applied Security Visualization - Book

Title: Applied Security Visualization
Author: Raffael Marty
Source: Addison Wesley Professional
Publication Date: July 2008 (estimated)

Excerpt:

'....As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today's state-of-the-art data visualization techniques, you can gain a far deeper understanding of what's happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed.

In Applied Security Visualization, leading network security visualization expert Raffael Marty introduces all the concepts, techniques, and tools you need to use visualization on your network. You'll learn how to identify and utilize the right data sources, then transform your data into visuals that reveal what you really need to know. Next, Marty shows how to use visualization to perform broad network security analyses, assess specific threats, and even improve business compliance. He concludes with a thorough introduction to DAVIX, today's leading toolset for security visualization.


  • Intimately understand the data sources that are essential for effective visualization
  • Choose the most appropriate visualization graphs and techniques for your network data
  • Walk step-by-step through transforming complex data into crystal-clear visual representations
  • Iterate your graphs to deliver even better insight for action
  • Assess threats to your network perimeter, as well as threats generated by insiders
  • Use visualization to manage risks more successfully
  • Visually audit both the technical and organizational aspects of network security
  • Compare and master today's most useful tools for network security visualization

Contains the powerful Data Analysis and Visualization UNIX (DAVIX) toolset for visualizing networks and assessing their security. DAVIX runs directly from the CD-ROM, without installation......'

Read the complete article.

Nessus vulnerability scanner pigized

Nessus vulnerability scanner pigized

Graph of a Nessus scan as seen by Snort and Prelude LML using pig

Saint vulnerability scanner pigized

Saint vulnerability scanner pigized

Graph of a Saint scan as seen by Snort and Prelude LML using pig

Retina vulnerability scanner pigized

Retina vulnerability scanner pigized

Prelude IDMEF Grapher (PIG) shows IDMEF data on a multi-axes view for graphical alerts analysis. This graph shows what was displayed performing a scan using the Retina software. Snort and Prelude LML (log analysis) send their alerts to the prelude manager that we connect to using pig.

24 hours of firewall logs plotted by dest port over time (color is source port)

24 hours of firewall logs plotted by dest port over time (color is source port)

Next, a plot of the same data using the destination port number over time points to obvious port scanning in the form of diagonal lines as well as odd patterns that sync with the previous destination IP address plot.

All of these graphs were created by parsing firewalls logs using a perl script and loading them into Advizor Analyst.

24 hours of firewall logs plotted by dest ip (int) over time (color is dest port)

24 hours of firewall logs plotted by dest ip (int) over time (color is dest port)

When you plot the destination IP address as an integer over time, many interesting patterns are highlighted. Even more interesting than the horizontal patterns indicating continuous traffic to specific IP addresses are the vertical clusters with regularly repeating frequencies.

All of these graphs were created by parsing firewalls logs using a perl script and loading them into Advizor Analyst.

VizSec 2008 update

The full and short paper deadline for VizSec has been extended. The new deadlines are:
April 21, 2008 : Deadline for full paper submission
May 19, 2008 : Deadline for short paper submissions
July 18, 2008 : Deadline for poster and demo abstracts

The Keynote speaker at VizSec will be Ben Shneiderman, speaking on the topic Information Forensics: Harnessing visualization to support discovery. Ben Shneiderman is a Professor in the Department of Computer Science, Founding Director (1983-2000) of the Human-Computer Interaction Laboratory, and Member of the Institute for Advanced Computer Studies at the University of Maryland at College Park. He was made a Fellow of the ACM in 1997, elected a Fellow of the American Association for the Advancement of Science in 2001, and received the ACM CHI (Computer Human Interaction) Lifetime Achievement Award in 2001.

Full and short papers will be published by Springer Lecture Notes in Computer Science (LNCS) in the VizSec 2008 Proceedings.
Formatting and submission instructions are on the web site: http://vizsec.org/workshop2008