SlideShare a Scribd company logo

RSA 2006 - Visual Security Event Analysis

Download as PPT, PDF
Raffael Marty
Raffael Marty

Security Analysis presentation from RSA 2006

Technology
1 of 43
Visual Security Event Analysis Raffael Marty, GCIA, CISSP ArcSight Inc. 02/14/06 – HT2-103
Disclaimer IP addresses and host names showing up in graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.
Who Am I? ● Raffael Marty, GCIA, CISSP ● Strategic Application Solutions @ ArcSight, Inc. ● Intrusion Detection Research @ IBM Research ● IT Security Consultant @ PriceWaterhouse Coopers ● Open Vulnerability and Assessment Language (OVAL) board member ● Speaker at Various Security Conferences ● Passion for Visual Security Event Analysis see http://afterglow.sourceforge.net
Table Of Contents • The Security Monitoring Challenge • Solving Event Overload - Today — Normalization — Prioritization — Correlation • Visual Security Event Analysis — Situational Awareness — Real-time Monitoring — Forensic and Historical Analysis
A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions
Typical Security Monitoring Challenges ? Complexity ? “ How can I Accuracy manage this flood of data?” “ I wish I could see prioritized and relevant information!” Efficiency “ How can we prioritize ? and communicate efficiently?” ? Reporting “ How can I demonstrate compliance?” … and do it all cost effectively
The Needle in the Haystack Security information / events  Tens of millions per day  Millions  Less than per day 1 million per month  A few thousand Defense per month in Depth Insider Threat Com pliance  Attack  Verified  Pre-attacks formation  Normal breaches  Raw events  Audit trail  Policy  Potential violations breaches  Failed attacks  Identified  False alarms  Misuse vulnerabilities
Solving Event Overload - Today
Data Analysis Components • Collection, Normalization, and Aggregation • Risk-based Prioritization with Vulnerability and Asset Information • Real-time Correlation across event sources — Rule-based Correlation — Statistical Correlation Intelligence • Advanced Analytics — Pattern Detection
Event Normalization and Categorization Normalization: Categorization: Sample Raw Pix Events: Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:10.50.215.97/6346 dst outside:204.110.228.254/6346 Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:204.110.228.254/62013 Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from isp:10.50.107.51/1967 (204.110.228.254/62013) Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no204.110.227.16/443 10.50.215.102/15605 to connection) from flags FIN ACK on interface outside 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
Risk-based Prioritization Vulnerability Agents Scanner Asset Information Agent Severity Asset Criticality Unix/Linux/ AIX/Solaris Severity Relevance Security Model Confidence Device Agents Security Device Event Mainframe & Apps Prioritized Event Databases Collector Windows Systems
Event Correlation • Most overused and least well-defined concept in ESM. • Combine multiple events through predefined rules or analyze statistical properties of event streams —Across devices —Heavily utilizing event categorization • Helps eliminate false positives • Correlation is not prioritization! —Can use priorities of individual events
Four Types of Real-time Correlation • Simple Event Match Failed logins on UNIX systems 5 or more failed Attempted Brute Failed logins logins in a minute Force Attack on Windows systems from same source • Complex Multi-Event Match Attempted Brute Force Attack + Successful login Successful Login to Windows systems
Four Types of Real-time Correlation • Statistical — Mathematical model 50% increase in traffic per port and machine ? Traffic per port going to 10.0.0.2 • Stateful user Simple jdoe user jdoe Compex Correlation ram ram 3 jdoe … ram 3 User on terminated Statistical … employee list … Manual Population tries to login Login attempt from user ram
Advanced Analytics - Pattern Detection • Automatically detect repetitive event patterns Name Device Product NETBIOS DCERPC Activation Snort little endian bind attempting NETBIOS DCERPC System Snort Activity path overflow attempt litlen endian unicode Tagged Packet Snort SHELLCODE x86 NOOP Snort NETBIOS DCERPC Remote Snort activity bind attempt • Capability to detect new worms, malware, system misconfigurations, etc. • Automatically create correlation rules to flag new occurrences of attack
Visual Security Event Analysis
Why a Visual Approach Helps A picture tells more than a thousand log lines
Visual Approach – Benefits I • Multiple views on the same data
Visual Approach – Benefits II • Selection and drill-down • Color by sifferent properties
Three Aspects of Visual Security Event Analysis • Situational Awareness — What is happening in a specific business area (e.g., compliance monitoring) — What is happening on a specific network — What are certain servers doing • Real-Time Monitoring and Incident Response — Capture important activities and take action — Event Workflow — Collaboration • Forensic and Historic Investigation — Selecting arbitrary set of events for investigation — Understanding big picture — Analyzing relationships - Exploration — Reporting
Situational Awareness
Instant Awareness
Event Graph Dashboard
MMS CDRs From Phone# MSG Type To Phone#
Geo Spatial Visualization
Real-time Monitoring
Real-time Monitoring – Detect Activity
Analysis Process Real-time Visual Data Detection Processing Automatic Action Rem ed Auto iation m a ti Creation of new Filters c Visual and Correlation Components Investigation is a lys An nd al ric sic a to n His Fore Assign to Assign Ticket 2 Level Analysis nd for Operations
Visual Detection and Investigation Beginning of Analyst’s shift
Visual Detection Scanning activity is displayed Firewall Blocks Scan Events
Visual Investigation
Define New Correlation Rules and Filters 1. Rule Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers
Real-time Analysis - Summary • Benefits of Visual Analysis — Visually driven process for investigating events — Visual investigation helps • getting a quick turn-around • detected new and previously unknown patterns (i.e. incidents) — Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.
Forensic and Historical Analysis
Forensic and Historical Investigation • Three Areas of Concern — Defense in Depth — Insider Threat — Compliance
Defense In Depth - Port Scan Detection
Analysis - Port Scan?
Insider Threat – User Reporting High ratio of failed logins
Insider Threat - Email Problems 2:00 < Delay < 10:00 Delay > 10:00 To To Delay
Compliance – Business Reporting • Attacks targeting internal systems Revenue Generating Systems Attacks
Compliance - Business Reporting
Summary Detect the expected & discover the unexpected Reduce analysis and response times Make better decisions
Q&A Raffael Marty ArcSight, Inc. Email: raffy@arcsight.com

Recommended

The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for SecurityRaffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big DataRaffael Marty
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 

Recommended

The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for SecurityRaffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big DataRaffael Marty
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurRaffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Application Logging for Forensics
Application Logging for ForensicsApplication Logging for Forensics
Application Logging for ForensicsRaffael Marty
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0Raffael Marty
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at ScaleRaffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AIRaffael Marty
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data MiningRaffael Marty
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 

More Related Content

What's hot

How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurRaffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Application Logging for Forensics
Application Logging for ForensicsApplication Logging for Forensics
Application Logging for ForensicsRaffael Marty
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at ScaleRaffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AIRaffael Marty
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 

What's hot (20)

How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Application Logging for Forensics
Application Logging for ForensicsApplication Logging for Forensics
Application Logging for Forensics
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 

Viewers also liked

Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data MiningRaffael Marty
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
San Antonio Security Community
San Antonio Security CommunitySan Antonio Security Community
San Antonio Security CommunityDenim Group
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxRaffael Marty
 
Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Raffael Marty
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
 
M-Trends® 2011: When Prevention Fails
M-Trends® 2011: When Prevention Fails M-Trends® 2011: When Prevention Fails
M-Trends® 2011: When Prevention Fails FireEye, Inc.
 
Polution in China
Polution in ChinaPolution in China
Polution in ChinaFangXuIEEE
 
Ladder for mixed signal test engineers
Ladder for mixed signal test engineersLadder for mixed signal test engineers
Ladder for mixed signal test engineersFangXuIEEE
 
Elegant Solutions
Elegant SolutionsElegant Solutions
Elegant SolutionsFangXuIEEE
 
Perfect data reconstruction algorithm of interleaved adc
Perfect data reconstruction algorithm of interleaved adcPerfect data reconstruction algorithm of interleaved adc
Perfect data reconstruction algorithm of interleaved adcFangXuIEEE
 
Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Raffael Marty
 
Awg waveform compensation by maximum entropy method
Awg waveform compensation by maximum entropy methodAwg waveform compensation by maximum entropy method
Awg waveform compensation by maximum entropy methodFangXuIEEE
 
D thies+ignite presentation
D thies+ignite presentationD thies+ignite presentation
D thies+ignite presentationKate Beihl
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackRaffael Marty
 
Am radio and OTDR
Am radio and OTDRAm radio and OTDR
Am radio and OTDRFangXuIEEE
 
Benefits of enhanced event analysis in datacenter otdr testing
Benefits of enhanced event analysis in datacenter otdr testingBenefits of enhanced event analysis in datacenter otdr testing
Benefits of enhanced event analysis in datacenter otdr testingFangXuIEEE
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceRaffael Marty
 
Signal cancellation techniques for testing high end digital-to-analog converters
Signal cancellation techniques for testing high end digital-to-analog convertersSignal cancellation techniques for testing high end digital-to-analog converters
Signal cancellation techniques for testing high end digital-to-analog convertersFangXuIEEE
 

Viewers also liked (19)

Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
San Antonio Security Community
San Antonio Security CommunitySan Antonio Security Community
San Antonio Security Community
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
 
M-Trends® 2011: When Prevention Fails
M-Trends® 2011: When Prevention Fails M-Trends® 2011: When Prevention Fails
M-Trends® 2011: When Prevention Fails
 
Polution in China
Polution in ChinaPolution in China
Polution in China
 
Ladder for mixed signal test engineers
Ladder for mixed signal test engineersLadder for mixed signal test engineers
Ladder for mixed signal test engineers
 
Elegant Solutions
Elegant SolutionsElegant Solutions
Elegant Solutions
 
Perfect data reconstruction algorithm of interleaved adc
Perfect data reconstruction algorithm of interleaved adcPerfect data reconstruction algorithm of interleaved adc
Perfect data reconstruction algorithm of interleaved adc
 
Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006
 
Awg waveform compensation by maximum entropy method
Awg waveform compensation by maximum entropy methodAwg waveform compensation by maximum entropy method
Awg waveform compensation by maximum entropy method
 
D thies+ignite presentation
D thies+ignite presentationD thies+ignite presentation
D thies+ignite presentation
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
 
Am radio and OTDR
Am radio and OTDRAm radio and OTDR
Am radio and OTDR
 
Benefits of enhanced event analysis in datacenter otdr testing
Benefits of enhanced event analysis in datacenter otdr testingBenefits of enhanced event analysis in datacenter otdr testing
Benefits of enhanced event analysis in datacenter otdr testing
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
 
Signal cancellation techniques for testing high end digital-to-analog converters
Signal cancellation techniques for testing high end digital-to-analog convertersSignal cancellation techniques for testing high end digital-to-analog converters
Signal cancellation techniques for testing high end digital-to-analog converters
 

Similar to RSA 2006 - Visual Security Event Analysis

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYCYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYjmical
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...Andris Soroka
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Barco CineCare Web
Barco CineCare WebBarco CineCare Web
Barco CineCare WebBarco
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
Ensuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data DelugeEnsuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data DelugeTripwire
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Seema Sheth-Voss
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

Similar to RSA 2006 - Visual Security Event Analysis (20)

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYCYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Barco CineCare Web
Barco CineCare WebBarco CineCare Web
Barco CineCare Web
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
NetWitness
NetWitnessNetWitness
NetWitness
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
 
Ensuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data DelugeEnsuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data Deluge
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 

More from Raffael Marty

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousRaffael Marty
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data VisualizationRaffael Marty
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightRaffael Marty
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Raffael Marty
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Raffael Marty
 

More from Raffael Marty (10)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

RSA 2006 - Visual Security Event Analysis

  • 1. Visual Security Event Analysis Raffael Marty, GCIA, CISSP ArcSight Inc. 02/14/06 – HT2-103
  • 2. Disclaimer IP addresses and host names showing up in graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.
  • 3. Who Am I? ● Raffael Marty, GCIA, CISSP ● Strategic Application Solutions @ ArcSight, Inc. ● Intrusion Detection Research @ IBM Research ● IT Security Consultant @ PriceWaterhouse Coopers ● Open Vulnerability and Assessment Language (OVAL) board member ● Speaker at Various Security Conferences ● Passion for Visual Security Event Analysis see http://afterglow.sourceforge.net
  • 4. Table Of Contents • The Security Monitoring Challenge • Solving Event Overload - Today — Normalization — Prioritization — Correlation • Visual Security Event Analysis — Situational Awareness — Real-time Monitoring — Forensic and Historical Analysis
  • 5. A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions
  • 6. Typical Security Monitoring Challenges ? Complexity ? “ How can I Accuracy manage this flood of data?” “ I wish I could see prioritized and relevant information!” Efficiency “ How can we prioritize ? and communicate efficiently?” ? Reporting “ How can I demonstrate compliance?” … and do it all cost effectively
  • 7. The Needle in the Haystack Security information / events  Tens of millions per day  Millions  Less than per day 1 million per month  A few thousand Defense per month in Depth Insider Threat Com pliance  Attack  Verified  Pre-attacks formation  Normal breaches  Raw events  Audit trail  Policy  Potential violations breaches  Failed attacks  Identified  False alarms  Misuse vulnerabilities
  • 9. Data Analysis Components • Collection, Normalization, and Aggregation • Risk-based Prioritization with Vulnerability and Asset Information • Real-time Correlation across event sources — Rule-based Correlation — Statistical Correlation Intelligence • Advanced Analytics — Pattern Detection
  • 10. Event Normalization and Categorization Normalization: Categorization: Sample Raw Pix Events: Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:10.50.215.97/6346 dst outside:204.110.228.254/6346 Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:204.110.228.254/62013 Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from isp:10.50.107.51/1967 (204.110.228.254/62013) Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no204.110.227.16/443 10.50.215.102/15605 to connection) from flags FIN ACK on interface outside 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
  • 11. Risk-based Prioritization Vulnerability Agents Scanner Asset Information Agent Severity Asset Criticality Unix/Linux/ AIX/Solaris Severity Relevance Security Model Confidence Device Agents Security Device Event Mainframe & Apps Prioritized Event Databases Collector Windows Systems
  • 12. Event Correlation • Most overused and least well-defined concept in ESM. • Combine multiple events through predefined rules or analyze statistical properties of event streams —Across devices —Heavily utilizing event categorization • Helps eliminate false positives • Correlation is not prioritization! —Can use priorities of individual events
  • 13. Four Types of Real-time Correlation • Simple Event Match Failed logins on UNIX systems 5 or more failed Attempted Brute Failed logins logins in a minute Force Attack on Windows systems from same source • Complex Multi-Event Match Attempted Brute Force Attack + Successful login Successful Login to Windows systems
  • 14. Four Types of Real-time Correlation • Statistical — Mathematical model 50% increase in traffic per port and machine ? Traffic per port going to 10.0.0.2 • Stateful user Simple jdoe user jdoe Compex Correlation ram ram 3 jdoe … ram 3 User on terminated Statistical … employee list … Manual Population tries to login Login attempt from user ram
  • 15. Advanced Analytics - Pattern Detection • Automatically detect repetitive event patterns Name Device Product NETBIOS DCERPC Activation Snort little endian bind attempting NETBIOS DCERPC System Snort Activity path overflow attempt litlen endian unicode Tagged Packet Snort SHELLCODE x86 NOOP Snort NETBIOS DCERPC Remote Snort activity bind attempt • Capability to detect new worms, malware, system misconfigurations, etc. • Automatically create correlation rules to flag new occurrences of attack
  • 17. Why a Visual Approach Helps A picture tells more than a thousand log lines
  • 18. Visual Approach – Benefits I • Multiple views on the same data
  • 19. Visual Approach – Benefits II • Selection and drill-down • Color by sifferent properties
  • 20. Three Aspects of Visual Security Event Analysis • Situational Awareness — What is happening in a specific business area (e.g., compliance monitoring) — What is happening on a specific network — What are certain servers doing • Real-Time Monitoring and Incident Response — Capture important activities and take action — Event Workflow — Collaboration • Forensic and Historic Investigation — Selecting arbitrary set of events for investigation — Understanding big picture — Analyzing relationships - Exploration — Reporting
  • 24. MMS CDRs From Phone# MSG Type To Phone#
  • 27. Real-time Monitoring – Detect Activity
  • 28. Analysis Process Real-time Visual Data Detection Processing Automatic Action Rem ed Auto iation m a ti Creation of new Filters c Visual and Correlation Components Investigation is a lys An nd al ric sic a to n His Fore Assign to Assign Ticket 2 Level Analysis nd for Operations
  • 29. Visual Detection and Investigation Beginning of Analyst’s shift
  • 30. Visual Detection Scanning activity is displayed Firewall Blocks Scan Events
  • 32. Define New Correlation Rules and Filters 1. Rule Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers
  • 33. Real-time Analysis - Summary • Benefits of Visual Analysis — Visually driven process for investigating events — Visual investigation helps • getting a quick turn-around • detected new and previously unknown patterns (i.e. incidents) — Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.
  • 35. Forensic and Historical Investigation • Three Areas of Concern — Defense in Depth — Insider Threat — Compliance
  • 36. Defense In Depth - Port Scan Detection
  • 38. Insider Threat – User Reporting High ratio of failed logins
  • 39. Insider Threat - Email Problems 2:00 < Delay < 10:00 Delay > 10:00 To To Delay
  • 40. Compliance – Business Reporting • Attacks targeting internal systems Revenue Generating Systems Attacks
  • 42. Summary Detect the expected & discover the unexpected Reduce analysis and response times Make better decisions
  • 43. Q&A Raffael Marty ArcSight, Inc. Email: raffy@arcsight.com

Editor's Notes

  1. Reduce analysis and response times Quickly visualize thousands of events Facilitate communication Graphs are easier to understand than textual events Make better decisions Situational awareness Visualize status of business posture Visual display of most important properties Detecte the Expected &amp; Discover the Unexpected Reporting Visually identify patterns and outliers
  2. The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.