Upgrade to Pro — share decks privately, control downloads, hide ads and more …

When a Picture is Worth a Thousand Network Packets and System Logs

Data Intelligence
June 28, 2017
190

When a Picture is Worth a Thousand Network Packets and System Logs

Awalin Sopan FireEye Inc
Audience level: Intermediate
Topic area: Misc

Description

A typical Security Operation Center (SOC) employs security analysts who monitor security log from heterogeneous devices. The analysts identify whether there is a security threat and how to respond to that threat by analyzing that data. Visualizing this large-scale data to a succinct human digestible form can reduce their cognitive load and enable them to operate more efficiently.

Data Intelligence

June 28, 2017
Tweet

Transcript

  1. Awalin Sopan
    @awalinsopan
    Senior Software Engineer,
    Analysis Team, FireEye, Inc

    View full-size slide

  2. Over 200 attacks on major industrial
    control systems in 2013.
    “Cyber threat is one of the most serious
    economic and national security
    challenges we face as a nation”- White
    House Press release, May 29, 2009

    View full-size slide

  3. FireEye Report 2014

    View full-size slide

  4. Cyber Attack
    Lifecycle
    FireEye Report 2017

    View full-size slide

  5. DEFENSE AGAINST CYBER ATTACK:
    Role of a Human (Cyber Analyst)
    • Detect intrusion
    • Recommend solution
    • Threat insight
    • Gather evidence
    • Prevent intrusion
    • Find vulnerability in the system
    • Block suspected traffic
    • Forensic analysis:
    • Create rules to detect future attack
    • Nature of attack

    View full-size slide

  6. ▪Multivariate:
    ▪Packet Capture/TCP dump, (ip, port, pkt size, time, etc.
    multiple features) from network sensors.
    ▪Logs
    ▪ OS
    ▪ Servers
    ▪ Applications
    ▪ Firewalls
    SECURITY DATA:
    DATA CAPTURED THROUGH SENSORS

    View full-size slide

  7. ▪Relational:
    ▪Flow data through Network: can be collected from routers:
    connection between IPs, hosts.
    SECURITY DATA:
    DATA CAPTURED THROUGH SENSORS

    View full-size slide

  8. ▪Temporal:
    ▪Log Files/Activity/Events: Host/endpoint events over time
    SECURITY DATA:
    DATA CAPTURED THROUGH SENSORS

    View full-size slide

  9. • Communicate findings
    • Overview
    • Analyze:
    • Compare and Relate
    • Find trend/ pattern
    • Predict
    • Find anomaly
    WHY VISUALIZATION

    View full-size slide

  10. VISUAL ANALYTICS:
    INTERACTIVE VISUAL INTERFACE
    FOR DECISION MAKING

    View full-size slide

  11. Visual Information Seeking “Mantra”
    -Ben Shneiderman
    • Overview data using charts, dashboard, tables: see all
    relevant data
    • Find pattern, trend, outlier, correlation
    • Sort by rank
    • Group similar features
    • Zoom and filter: select only interesting ones
    • Details on Demand: details of the selected alert

    View full-size slide

  12. DATA -> VISUALIZATION
    Multivariate
    Packet capture, tcp dump from network
    sensors, server logs, operating system logs,
    firewall logs: Host based Intrusion Detection
    System. Data with multiple variables like ip,
    port, packet size, time, etc.
    Table, scatter plot,
    bubble chart, parallel
    coordinate
    Relational/
    Hierarchical
    Network data flow from routers, connection
    between ips, hosts. Top-down hierarchy of the
    system: Network Based Intrusion Detection
    System.
    Node-link diagram,
    matrix diagram.
    Pie chart, treemap.
    Tempor
    al
    Log file, activity events over time Line chart, time series,
    timeline, histogram,
    sparklines
    Designing the User Interface 4th Edition: Ben Shneiderman and Catherine Plaisant

    View full-size slide

  13. VAST 2012 Challenge Data: 2 days of Flow data
    Nodes sized by in-degree
    Sized by in-degree

    View full-size slide

  14. Color coded: showing only top 25% strong links
    Links color coded by strength: red low, green high

    View full-size slide

  15. Color coded: showing only top 10% strong links
    Filtered out weak links to declutter network

    View full-size slide

  16. Color coded: showing only top 5% strong links
    DDoS attack ?

    View full-size slide

  17. wikipedia
    DDoS attack

    View full-size slide

  18. CONTENT OF PACKETS

    View full-size slide

  19. Network Packet Sensing Rule

    View full-size slide

  20. Network Packet

    View full-size slide

  21. PACKET LABELING

    View full-size slide

  22. Distraction !
    Real target!

    View full-size slide

  23. PORT ANALYSIS

    View full-size slide

  24. Target IP
    Source IP

    View full-size slide

  25. Target IP
    Source IP

    View full-size slide

  26. System events log

    View full-size slide

  27. Event timeline

    View full-size slide

  28. Details on demand

    View full-size slide

  29. TIME SERIES OF EVENTS

    View full-size slide

  30. Events in Network (rendered using Grafana)
    ANOMALY DETECTION
    Login attempts in the system

    View full-size slide

  31. MODES OF OPERATIONS
    Put it all together in analysts workflow:
    • Contextual views
    • Dashboard for overview
    • Visual analytics with multiple coordinated views
    • Situational awareness for immediate assessment

    View full-size slide

  32. Example: SPLUNK

    View full-size slide

  33. MULTIPLE COORDINATED
    VISUALIZATIONS

    View full-size slide

  34. Low priority
    High priority
    Mid priority
    Alerts aggregated over time

    View full-size slide

  35. SITUATIONAL AWARENESS

    View full-size slide

  36. Situation awareness is the ability to :
    •assess data
    •evaluate options
    •make decisions in a timely manner.

    View full-size slide

  37. VIZSEC:
    WORKSHOP ON SECURITY VISUALIZATION

    View full-size slide

  38. CYNOMIX
    GOVE ET A.L, VIZSEC 2014
    Find similar malwares

    View full-size slide

  39. Visualizing the Insider Threat
    http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F0731 2772.pdf%3Farnumber%3D7312772
    Interactive PCA of user activity
    Anomalous cluster

    View full-size slide

  40. • (Machine + Human) > Machine || Human.
    • Bridge the gap btwn security experts & dataviz experts.
    • Provide contextual clues to the analysts.
    • Integrate visual analytics in analyst workflow.
    • Make room for scalability and efficiency.
    • Avoid visual representations requiring lot of explanation.
    • Choose the network layout that avoids edge crossing or node
    overlapping.
    • Aggregation of data should be obvious.
    TAKE AWAY
    [email protected]

    View full-size slide