Information Security

Activate your FREE membership today  |  Log-in

  • Visit other TechTarget ANZ sites: 
Home  >  Articles  >  Software maker touts value of security data visualisation
Posted
Dec 4, 2007
 |  By:  Elaine Hom

Software maker touts value of security data visualisation

Tools: Print article RSS Feeds
Bookmark and Share

With network intrusion detection systems and other types of security data gathering tools, the average company ends up amassing large quantities of security data. But how to make sense of it? Greg Conti, creator of RUMINT open source software, recently released the book Security Data Visualisation, which explains how to use visualisation technology to interpret security data with engaging graphics and easy-to-read charts. We spoke with Conti to learn more about using security data visualisation to sell security products in the channel.

What is the concept behind security data visualisation?

Conti: Security data visualisation is a technique whose time has come. There's no shortage of security appliances and sensors, and each of those generates a tremendous amount of data. The data can be overwhelming because there are only a limited number of experts who can make sense of it. There are things humans are inherently good at, such as recognising patterns, and there are things that machines are good at, like matching exact strings. Where computers are bad, that's where visualisations come in and help people make sense of the sea of data that they are confronted with.

People are wired to think visually and have a high bandwidth of visual recognition capability that we can use to communicate. A picture is worth a thousand words. If you can take this textual data or binary data and convert it to insightful pictures, you can then use it to communicate your message to other analysts, to your customers or to senior decision makers.

What is the process of security data visualisation?

Conti: Typically, you have a large set of data that you want to find insight in. You combine that with a set of "problems" or tasks that you want to accomplish. You have this data and these tasks that you have no current solution for and no way to address. The process of visualisation is taking the data and presenting it graphically in an insightful way. That's also the hard part.

Can you give some examples?

Conti: The best example and the lowest end of information visualisation is with Excel graphics. You take a table of data and it's very hard to pick out what's biggest and smallest, to see a trend over time, but a simple graph will make things pop out at you. There's been active research going back 20 to 30 years, beyond Excel-class graphics like pie charts and bar graphs, and there's 200, 300 techniques that can be applied to take what you see to a higher level. It may allow you to compare 10 different types of variables at one time versus just a pie chart, which is far more limited. You're taking these visualisation approaches -- mapping the data to the visual display and providing these windows into what you're looking at.

You've developed this program, RUMINT. Can you describe it for us?

Conti: It is a bit of a joke -- it comes from intelligence community slang. People know SIGINT for signal intelligence, HUMINT for human intelligence, and IMINT for imagery intelligence like satellite images. RUMINT is for rumour intelligence. The idea is that when you're trying to help people solve a problem, you draw a box around what you're going to address. It addresses network data and packets of data. RUMINT keeps an eye on network packets of data.

How is it different from other tools that do the same thing?

Conti: The best-in-breed tool is WireShark, formerly Ethereal. It's great but it's primarily textual. I wanted to see if could I take that same packet-level data and show it in a graphic, insightful way. That's what RUMINT does -- it loads the packet capture files and allows you to look at them with different views. Things will jump out that would be very hard to see in a textual view.

RUMINT is an open source tool and it's free for people to use and experiment with. I've put a lot of effort into making it usable. When building prototypes, there's a long road between creating something that only the person who wrote it can use to something that people can actually download, install and use. It allows you to see different types of activities that are impossible to see using textual tools, such as different types of different values in the packets changing over time.

With RUMINT, it's a good tool, but I won't claim it will cure cancer. It's a step in applying visualisation to solve different problems.

How does one acquire security data visualisation tools?

Conti: You can buy someone else's solution that has visualisation capabilities -- Arcsight comes to mind as one tool. You can also develop your own tools that you can use for visual approaches. I've received feedback as developing RUMINT and one person compared it to being as fun as playing a video game. It's an important goal. If you find the right tool, your people actually want to look at the data and find it engaging and fun versus tedious and painful. Whether you're using someone else's tool at an SMB or building your own tool at a larger company, that's the same goal -- find it to be engaging and insightful, not just eye candy.

What industries can security data visualisation apply to?

Conti: It's broadly applicable across sectors, but especially ones that require heavy analysis of data, particularly larger amounts of data where they're bursting at the seams and current tools can be overwhelmed. It's something that requires a human in the loop -- if they have machine solutions, visualisation won't really help unless they're trying to find some new insight into the data. If they have successful machines, they won't need it and will save the humankind for scenarios or questions that require a human's intelligence.

Do you see opportunities for value-added resellers and systems integrators to use security data visualisation?

Conti: Visualisation in general is very good for communicating a corporate message and problem. If you're trying to show distributed denial-of-service (DDoS) attacks, you can show a series of images and say, "This is what your network looks like, this data shows security problems." I think you could use visualisation to communicate in an image something that will be easily interpreted by the people you're trying to communicate to. RUMINT can do that to a degree, but I think visualisation in general can help you sell to customers and senior decision makers.

RUMINT can do it for packet data. One RUMINT user told me that they used it in a hospital and one machine was misbehaving. They used RUMINT to create a picture of what the machine was doing as opposed to an uninfected machine and were able to show the user why their machine was being taken off the network.

What type of customer can benefit the most from security data visualisation?

Conti: That would be MSPs [managed service providers]. As an MSP, there's a security threat that you're trying to make your customers aware of. Visualisations can be used for that. RUMINT can be part of it, but full visualisation is the best approach.


© 2010 TechTarget ANZ. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this website constitutes acceptance of the TechTarget ANZ Terms and Conditions and Privacy Policy.

TechTarget ANZ sites: SearchCIO.com.au | SearchNetworking.com.au | SearchSecurity.com.au | SearchStorage.com.au | SearchVoIP.com.au

WF Online community sites: ElectricalSolutions | ElectronicsOnline | FoodProcessing | InMotionOnline | LabOnline | ProcessOnline | RadioComms | SafetySolutions | SustainabilityMatters | Voice&Data

Copyright © 2010 Westwick-Farrow Pty Ltd. All rights reserved.
About Us | Contact Us | TechTarget