Many companies are required to keep certain log files detailing important system events, but until now, most firms haven't been properly analyzing them, if they analyze them at all.
"If there were more tools out there to make this easier I think a lot more people would actually use visualization."
Raffael Marty, Author Applied Security Visualization
One researcher is trying to make the data easier to use. Raffael Marty, a security expert with log management firm Splunk Inc., wrote
"If you look at log files or system events to understand what is going on in your machines or in your network, a lot of people look at their textual logs. … and the problem is you have 100,000 lines or more so it's really hard to figure out what's happening in that data," Marty said. "If you generate a picture from that data you very quickly can see what is going on in there."
The goal is to take network traffic, intrusion defense system and firewall data and begin visualizing pieces of it to create an overall picture of the company's security posture. When you start developing the appropriate chart or graph to better flesh out the data, you can begin to see patterns and sometimes certain pieces of information stand out, Marty said.
Listen to the interview with Raffael Marty:
Raffael Marty, author of Applied Security Visualization, talks about how security visualization techniques can help improve security decisions. Marty is chief security strategist at log analysis vendor Splunk.
Download MP3 | Subscribe to Security Wire Weekly
The field of security visualization is still relatively immature and needs much more research, Marty said. Few tools are available to use visualization in a security investigation.
"If there were more tools out there to make this easier I think a lot more people would actually use visualization," Marty said.
If you have millions or even thousands of log files to visualize it can get tricky, Marty said. Companies need to have a solid handle on the data they're collecting and security pros need to understand the entries to a certain degree, Marty said. Firewall log files would be useless with little domain expertise on staff to help generate graphs.
Marty has released a Linux CD called Data Analysis and Visualization Linux (DAVIX). The build is based on the SLAX distribution and includes some free tools for data processing and visualization. Marty also created a log file analysis tool called AfterGlow, which generates event graphs and treemaps.
To get the best results, log data needs to be filtered down and clustered together, Marty said.
"With firewall log files, you don't need to know what specific IP address is connecting to me from the outside," Marty said. "You can cluster it to get a general idea of what happened and then if you want to drill down you can open up that cluster."
Visualization could be used to build dashboards for a company compliance program, Marty said. For example, a chart or graph could help visualize violations per Payment Card Industry Data Security Standard (PCI DSS) requirement, helping companies determine where they fall short of the standard. To meet Sarbanes-Oxley (SOX), some firms could get value out of visualizing the traffic going to the server hosting the company's financial data.
Marty said visualization can be an important tool in finding database violations in real-time event data. It can be used to audit large database management systems, such as Oracle and Microsoft's SQL-Server to figure out who accessed a particular table, and whether the database table was altered.
"If you correlate it to the users you can find violations very quickly," Marty said.