February 03, 2009, 5:04 PM — Having spent 6 years shooting crossbow and air rifle on the Swiss National Team, Raffael Marty knows how to shoot straight. Here, the author of Applied Security Visualization shares 3 must-dos (and 3 don'ts) for effective visualization.
This is part of a regular series that highlights new books and their authors. Also in this series: Joel Scambray on exposing the hacker's advantage, Brandon Carroll on getting back to basics with wireless networking, and Scott Hogg on planning a secure migration to IPv6.
"Computers are a very exact science. You tell them to do something and they do exactly that. Visualization is an art," says Raffael Marty, author of Applied Security Visualization. "Visualizing security data is really the intersection of both of these disciplines. You have a lot of creative freedom when generating visuals. However, you are restrained to certain principles. It’s both an art and a science to create the right visuals in order for them to be useful. I like that intersection. I like the fact that I apply my creativity and combine it with my security domain knowledge in order to solve security problems."
Advice for newbies Security visualization can be an overwhelming topic. There are so many things you have to know in order to visualize your security data. One of the biggest problems is the non-existence of a comprehensive security visualization tool. The Data Analysis and Visualization Linux (DAVIX) is an approach to make it easier for people the get their feet wet with visualization. The DAVIX live CD contains a huge collection of visualization, log processing, and analysis tools that you can leverage to analyze your security data. You don’t have to download the tools, compile them, configure them, etc. It’s all done for you. DAVIX is a great way to explore the topic of visualization.
- Learn about visualization: It's important for security people to understand the basics of visualization. Learn a bit about perception and good practices for generating effective graphs. Learn about which charts to use for which kinds of use-cases and data. This is the minimum you should know about visualization.
- Understand your data: Visualization is not a magic method that will explain the contents of a given data set. Without understanding the underlying data, you can't generate a meaningful graph and you won't be able to interpret the graphs generated.
- Get to know your environment: I can be an expert in firewalls and know all there is to know about a specific firewall's logs. However, if you give me a visualization of a firewall log, I won't be able to tell you much or help you figure out what you should focus on. Context is important. You need to know the context in which the logs were generated. What are the roles of the machines on the network, what are some of the security policies, what type of traffic is normal, etc. You can use visualization to help understand the context, but there are things you have to know up front.
- Don't get scared: The topic of security visualization is a big one. You have to know a lot of things from visualization to security. Start small. Start with some data that you know well. Start with some simple use-cases and explore visualization slowly.
- Don't do it all at once: Start with a small data set. Maybe a few hundred log lines. Once you are happy with the results you get for a small data set, increase the size and see what that does to your visualization. Still happy? Increase the size some more until you end up with the complete data set.
- Don't do it yourself. If you're in charge of data analysis and you aren't the data owner (meaning that you don't understand the application that generates the data intimately well) you should get help from the data owner. Have the application developers or other experts help you understand the data and create the visuals together with you.
Who should read this book? I wrote Applied Security Visualization for security practitioners. I am introducing new ways to analyze security data to the people who can implement them. The reader should have a basic understanding of programming to follow the Perl and UNIX scripts in the book. I assume that you are familiar with basic networking concepts and have seen a log file before. You don’t have to be an expert in IT security or compliance. It helps to have an understanding of the basic concepts, but it is definitely not a prerequisite for this book.
What can readers expect to learn? The goal for the readers is to gather the knowledge to visualize and manage their own IT data. They will learn the basics of log analysis, learn about common data sources, get an overview of visualization techniques, and learn how to generate visual representations of security data for a number of different use-cases from DoS and worm detection to compliance reporting. The book is filled with practical examples of how security visualization can be applied to solve every-day problems more efficiently.