This is a tricky question, because security visualization tools usually come in two forms Ė prohibitively expensive (on the order of tens to hundreds of thousands of dollars) and free. I like Raffy Martyís open source project Afterglow because it is powerful and flexible enough to be used with many types of security data. The prefuse toolkit helps Java developers create powerful visualization applications. On the commercial side, I believe ArcSight, Splunk and Secure Decisions make very nice products. Iíve been very impressed with Zynamicís BinNavi and BinDiff. Halvar Flake and his fellow researchers at Zynamics really know their stuff. There are a number of general purpose tools that can be used for security and other types of data, examples include IBMís free Many Eyes service and TIBCOís SpotFire. Finally, visualization is a very active research area. Iíd recommend monitoring the output of VizSEC, the Workshop on Visualization for Computer Security and the National Visual Analytics Center as well as the VizSEC and SecViz portals for the latest developments. VizSEC 2008 will be held September 15, 2008 in conjunction with the Recent Advances in Intrusion Detection (RAID) Symposium and we invite people interested in visualization to attend. Here youíll find bleeding edge ideas, before they turn into products.
You are the creator of the network and security visualization tool RUMINT. Introduce the main features of the tool as well as some of the possible usage scenarios.
RUMINT is a visualization tool designed to allow insightful analysis of network traffic, either in real-time as a packet sniffer or using historical pcap data. It uses a VCR-like interface to control playback of the packets in seven different visualization windows, similar to the way a Tivo allows a user to record, pause and play back video. Each window provides a different view on the same packets, at the same time, allowing analysts to correlate insights gained from each display. Analysts have found it useful for creating graphical fingerprints of network attacks, analyzing attack tool behavior, communicating Internet security threats to end users, understanding the operation of new protocols, and finding anomalies in network traffic.
Despite these strengths, I consider RUMINT a work in progress and Iím working on a complete rewrite of the source code now. The hacker and computer security communities have been very enthusiastic about the tool and are providing awesome feedback. While the latest version is stable, useful, and usable, I believe RUMINT hasnít reached its full potential. I want to incorporate the feedback Iíve received to take the tool to the next level. My goal is to create a result that is compelling enough to make Fyodorís Top 100 security tools list. This list is based on a survey of what tools the security analyst community finds most valuable. Fyodorís list is an honor that must be earned, and I look forward to seeing RUMINT on it one day.