Having spent 6 years shooting crossbow and air rifle on the Swiss National Team, Raffael Marty knows how to shoot straight. Here, the author of Applied Security Visualization shares 3 must-dos (and 3 don'ts) for effective visualization.
This is part of a regular series that highlights new books and their authors. Also in this series: Joel Scambray on exposing the hacker's advantage, Brandon Carroll on getting back to basics with wireless networking, and Scott Hogg on planning a secure migration to IPv6.
"Computers are a very exact science. You tell them to do something and they do exactly that. Visualization is an art," says Raffael Marty, author of Applied Security Visualization. "Visualizing security data is really the intersection of both of these disciplines. You have a lot of creative freedom when generating visuals. However, you are restrained to certain principles. It’s both an art and a science to create the right visuals in order for them to be useful. I like that intersection. I like the fact that I apply my creativity and combine it with my security domain knowledge in order to solve security problems."
Name: Raffael Marty
What I'm working on now: Now that Applied Security Visualization is published, I find myself having time again to get involved in new initiatives. One of the things I'm doing is teaching log analysis and visualization workshops. The next one is held in Boston during the Source Boston Conference in March. Another project I am going to spend more time on is the Honeynet Alliance. I am going to help out with data analysis and research of how to visualize the data that is collected by the various honeypots around the world. And finally, there is DAVIX, which will need some attention this year as well. We are working on a new version and possibly some updates to the secviz.org Web site as well. It won’t be a boring year for sure.
Favorite learning sites and hidden gems: Lately, a lot of breaking news I get through Twitter (@zrlram, if you want to follow me). If you are interested in security visualization, there is the secviz portal and a Twitter stream: @secviz. One of the visualization blogs I have in my RSS reader is FlowingData, which I enjoy a lot.
Something most people don't know about me: In a previous life, before I moved from Switzerland to the US, I used to be very competitive in target shooting. Crossbow and air rifle were my disciplines. I was part of the Swiss National Team for 6 years (and coach for the National Youth team for two of those years). Some of the experiences from that time have shaped my life very significantly.
Philosophy: Not sure I have much of a philosophy. But let me share this thought with you. I have a Google alert setup that looks for security visualization topics. About half of the alerts mention visualization not in the sense of information visualization but as a method of creative visualization, the technique underlying positive thinking. During my days of competitive shooting, visualization was a big part of my practice. Since then I have not used the technique much. Through the work I am doing on security visualization, I got reminded of creative visualization again. It is just interesting to me that important things in life will eventually come back again.
Advice for newbies Security visualization can be an overwhelming topic. There are so many things you have to know in order to visualize your security data. One of the biggest problems is the non-existence of a comprehensive security visualization tool. The Data Analysis and Visualization Linux (DAVIX) is an approach to make it easier for people the get their feet wet with visualization. The DAVIX live CD contains a huge collection of visualization, log processing, and analysis tools that you can leverage to analyze your security data. You don’t have to download the tools, compile them, configure them, etc. It’s all done for you. DAVIX is a great way to explore the topic of visualization.
- Learn about visualization: It's important for security people to understand the basics of visualization. Learn a bit about perception and good practices for generating effective graphs. Learn about which charts to use for which kinds of use-cases and data. This is the minimum you should know about visualization.
- Understand your data: Visualization is not a magic method that will explain the contents of a given data set. Without understanding the underlying data, you can't generate a meaningful graph and you won't be able to interpret the graphs generated.
- Get to know your environment: I can be an expert in firewalls and know all there is to know about a specific firewall's logs. However, if you give me a visualization of a firewall log, I won't be able to tell you much or help you figure out what you should focus on. Context is important. You need to know the context in which the logs were generated. What are the roles of the machines on the network, what are some of the security policies, what type of traffic is normal, etc. You can use visualization to help understand the context, but there are things you have to know up front.
- Don't get scared: The topic of security visualization is a big one. You have to know a lot of things from visualization to security. Start small. Start with some data that you know well. Start with some simple use-cases and explore visualization slowly.
- Don't do it all at once: Start with a small data set. Maybe a few hundred log lines. Once you are happy with the results you get for a small data set, increase the size and see what that does to your visualization. Still happy? Increase the size some more until you end up with the complete data set.
- Don't do it yourself. If you're in charge of data analysis and you aren't the data owner (meaning that you don't understand the application that generates the data intimately well) you should get help from the data owner. Have the application developers or other experts help you understand the data and create the visuals together with you.
Who should read this book? I wrote Applied Security Visualization for security practitioners. I am introducing new ways to analyze security data to the people who can implement them. The reader should have a basic understanding of programming to follow the Perl and UNIX scripts in the book. I assume that you are familiar with basic networking concepts and have seen a log file before. You don’t have to be an expert in IT security or compliance. It helps to have an understanding of the basic concepts, but it is definitely not a prerequisite for this book.
What can readers expect to learn? The goal for the readers is to gather the knowledge to visualize and manage their own IT data. They will learn the basics of log analysis, learn about common data sources, get an overview of visualization techniques, and learn how to generate visual representations of security data for a number of different use-cases from DoS and worm detection to compliance reporting. The book is filled with practical examples of how security visualization can be applied to solve every-day problems more efficiently.