Claves de una enseñanza efectiva

If you have ever analyzed a large log file with tens of thousands of entries, you know how hard it is. A visual approach significantly facilitates the task (as compared to using text- based tools). Visualization offers a number of benefits over textual analysis of data. These benefits are based on people’s ability to process images efficiently. People can scan, recog- nize, and recall images rapidly. In addition, the human brain is an amazing pattern- recognition tool, and it can detect changes in size, color, shape, movement, and texture very efficiently. The following is a summary of visualization benefits:

• Answers a question:Visualization enables you to create an image for each question you may have about a dataset. Instead of wading through textual data and trying to remember all the relationships between individual entries, you can use an image that conveys the data in a concise form.

• Poses new questions:One interesting aspect of visual representations is that they cause the viewer to pose new questions. A human has the capability to look at a visual representation of data and see patterns. Often, these patterns are not antici- pated at the time the visual is generated. What is this outlier over here? Why do these machines communicate with each other?

• Explore and discover:By visualizing data, you have a new way of viewing and investi- gating data. A visual representation provides new insights into a given dataset. Different graphs and configurations highlight various different properties in the dataset and help identify previously unknown information. If the properties and relationships were known upfront, it would be possible to detect these incidents without visualization. However, they had to be discovered first, and visual tools are best suited to do so. Interactive visualizations enable even richer investigations and help discover hidden properties of a dataset.

• Support decisions:Visualization helps to analyze a large amount of data very quickly. Decisions can be based on a large amount of data because visualization has helped to distill it into something meaningful. More data also helps back up decisions. Situational awareness is a prime tool to help in decision support.

• Communicate information:Graphical representations of data are more effective as a means of communication than textual log files. A story can be told more efficiently, and the time to understand a picture is a fraction of the time that it takes to under- stand the textual data. Images are great for telling a story. Try to put a comic into textual form. It just doesn’t do the trick.

• Increase efficiency:Instead of wading through thousands of lines of textual log data, it is much more efficient to graph certain properties of the data to see trends and outliers. The time it takes to analyze the log files is drastically cut down. This frees up people’s time and allows them to think about the patterns and relationships found in the data. It also speeds up the detection of and response to new developments. Fewer people are needed to deal with more data.

• Inspire:Images inspire. While visually analyzing some of the datasets for this book, I got inspired many times to try out a new visualization, a new approach of viewing the same data. Sometimes these inspirations are dead ends. A lot of times, however, they lead to new findings and help better understand the data at hand.

If data visualization has all of these benefits, we should explore what visualization can do for security.

S

V

The field ofsecurity visualizationis very young. To date, only a limited amount of work has been done in this area. Given the huge amount of data needed to analyze security problems, visualization seems to be the right approach:

• The ever-growing amount of data collected in IT environments asks for new methods and tools to deal with them.

• Event and log analysis is becoming one of the main tools for security analysts to investigate and comprehend the state of their networks, hosts, applications, and business processes. All these tasks deal with an amazing amount of data that needs to be analyzed.

• Regulatory compliance is asking for regular log analysis. Analysts need better and more efficient tools to execute the task.

• The crime landscape is shifting. Attacks are moving up the network stack. Network- based attacks are not the prime source of security problems anymore. The attacks today are moving into the application layer: Web 2.0, instant messenger attacks,

fraud, information theft, and crime-ware are just some examples of new types of attacks that generate a load of data to be collected and analyzed. Beware!

Applications are really chatty and generate a lot of data.

• Today, the attacks that you really need to protect yourself from are targeted. You are not going to be a random victim. The attackers know who they are coming for. You need to be prepared, and you have to proactively analyze your log files. Attackers will not set off your alarms.

Because of the vast amount of log data that needs to be analyzed, classic security tools, such as firewalls and intrusion detection systems, have over time added reporting capa- bilities and dashboards that are making use of charts and graphics. Most of the time, these displays are used to communicate information to the user. They are not interactive tools that support data exploration. In addition, most of these visual displays are fairly basic and, in most cases, an afterthought. Security products are not yet designed with visualization in mind. However, this situation is slowly improving. Companies are start- ing to realize that visualization is a competitive advantage for them and that user tasks are significantly simplified with visual aids.

The problem with these tools is that they are specialized. They visualize only the information collected or generated by that specific solution. We need to visualize infor- mation from multiple tools and for use-cases that are not supported by these tools. Novel methods are needed to conduct log and security data analysis.