When a Picture is Worth a Thousand Network Packets and System Logs

C93e0512fbfca1b61a9913bfceeac7ec?s=47 Data Intelligence
June 28, 2017
150

When a Picture is Worth a Thousand Network Packets and System Logs

Awalin Sopan FireEye Inc
Audience level: Intermediate
Topic area: Misc

Description

A typical Security Operation Center (SOC) employs security analysts who monitor security log from heterogeneous devices. The analysts identify whether there is a security threat and how to respond to that threat by analyzing that data. Visualizing this large-scale data to a succinct human digestible form can reduce their cognitive load and enable them to operate more efficiently.

C93e0512fbfca1b61a9913bfceeac7ec?s=128

Data Intelligence

June 28, 2017
Tweet

Transcript

  1. Awalin Sopan @awalinsopan Senior Software Engineer, Analysis Team, FireEye, Inc

  2. Over 200 attacks on major industrial control systems in 2013.

    “Cyber threat is one of the most serious economic and national security challenges we face as a nation”- White House Press release, May 29, 2009
  3. FireEye Report 2014

  4. Cyber Attack Lifecycle FireEye Report 2017

  5. None
  6. DEFENSE AGAINST CYBER ATTACK: Role of a Human (Cyber Analyst)

    • Detect intrusion • Recommend solution • Threat insight • Gather evidence • Prevent intrusion • Find vulnerability in the system • Block suspected traffic • Forensic analysis: • Create rules to detect future attack • Nature of attack
  7. ▪Multivariate: ▪Packet Capture/TCP dump, (ip, port, pkt size, time, etc.

    multiple features) from network sensors. ▪Logs ▪ OS ▪ Servers ▪ Applications ▪ Firewalls SECURITY DATA: DATA CAPTURED THROUGH SENSORS
  8. None
  9. ▪Relational: ▪Flow data through Network: can be collected from routers:

    connection between IPs, hosts. SECURITY DATA: DATA CAPTURED THROUGH SENSORS
  10. None
  11. None
  12. None
  13. ▪Temporal: ▪Log Files/Activity/Events: Host/endpoint events over time SECURITY DATA: DATA

    CAPTURED THROUGH SENSORS
  14. • Communicate findings • Overview • Analyze: • Compare and

    Relate • Find trend/ pattern • Predict • Find anomaly WHY VISUALIZATION
  15. VISUAL ANALYTICS: INTERACTIVE VISUAL INTERFACE FOR DECISION MAKING

  16. Visual Information Seeking “Mantra” -Ben Shneiderman • Overview data using

    charts, dashboard, tables: see all relevant data • Find pattern, trend, outlier, correlation • Sort by rank • Group similar features • Zoom and filter: select only interesting ones • Details on Demand: details of the selected alert
  17. DATA -> VISUALIZATION Multivariate Packet capture, tcp dump from network

    sensors, server logs, operating system logs, firewall logs: Host based Intrusion Detection System. Data with multiple variables like ip, port, packet size, time, etc. Table, scatter plot, bubble chart, parallel coordinate Relational/ Hierarchical Network data flow from routers, connection between ips, hosts. Top-down hierarchy of the system: Network Based Intrusion Detection System. Node-link diagram, matrix diagram. Pie chart, treemap. Tempor al Log file, activity events over time Line chart, time series, timeline, histogram, sparklines Designing the User Interface 4th Edition: Ben Shneiderman and Catherine Plaisant
  18. NETWORK

  19. VAST 2012 Challenge Data: 2 days of Flow data Nodes

    sized by in-degree Sized by in-degree
  20. None
  21. Color coded: showing only top 25% strong links Links color

    coded by strength: red low, green high
  22. Color coded: showing only top 10% strong links Filtered out

    weak links to declutter network
  23. Color coded: showing only top 5% strong links DDoS attack

    ?
  24. wikipedia DDoS attack

  25. CONTENT OF PACKETS

  26. Network Packet Sensing Rule

  27. Network Packet

  28. None
  29. PACKET LABELING

  30. None
  31. None
  32. Distraction ! Real target!

  33. PORT ANALYSIS

  34. Target IP Source IP

  35. Target IP Source IP

  36. None
  37. EVENT LOG

  38. System events log

  39. Event timeline

  40. Details on demand

  41. TIME SERIES OF EVENTS

  42. None
  43. Events in Network (rendered using Grafana) ANOMALY DETECTION Login attempts

    in the system
  44. MODES OF OPERATIONS Put it all together in analysts workflow:

    • Contextual views • Dashboard for overview • Visual analytics with multiple coordinated views • Situational awareness for immediate assessment
  45. DASHBOARDS

  46. Example: SPLUNK

  47. None
  48. MULTIPLE COORDINATED VISUALIZATIONS

  49. TempoViz

  50. Low priority High priority Mid priority Alerts aggregated over time

  51. SITUATIONAL AWARENESS

  52. Situation awareness is the ability to : •assess data •evaluate

    options •make decisions in a timely manner.
  53. VIZSEC: WORKSHOP ON SECURITY VISUALIZATION

  54. CYNOMIX GOVE ET A.L, VIZSEC 2014 Find similar malwares

  55. Visualizing the Insider Threat http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F0731 2772.pdf%3Farnumber%3D7312772 Interactive PCA of user

    activity Anomalous cluster
  56. • (Machine + Human) > Machine || Human. • Bridge

    the gap btwn security experts & dataviz experts. • Provide contextual clues to the analysts. • Integrate visual analytics in analyst workflow. • Make room for scalability and efficiency. • Avoid visual representations requiring lot of explanation. • Choose the network layout that avoids edge crossing or node overlapping. • Aggregation of data should be obvious. TAKE AWAY awalin.sopan@fireeye.com