I expect to see tools that help bridge the gap between visualization and machine processors. Human time and attention are rare resources, particularly that of experts. Once an analyst makes a discovery, such as the signature of a new form of malware, the visualization tool should make it very easy to offload the signature to machine processors, such as anti-virus programs and intrusion detection systems, to do the heavy lifting in the future. Currently, there is a distinct gap between security visualization systems and machine processors in many areas.
How long did it take you to write Security Data Visualization and what was it like? Any major difficulties?
It took about three years of research and about 14 months of writing to produce Security Data Visualization. The most frustrating aspect was banging into the edges of human knowledge. Visualization of security data is, in many ways a very young field, many aspects are relatively unexplored, such as visualization support for cryptanlysis and malware analysis, but bear great promise. I believe there are several decades before we start seeing the full range of possibilities.
There were some aspects of the writing process that helped greatly too. Without exception, the community of security visualization researchers freely contributed images and ideas to help with the project. Raffy Marty of Splunk contributed two excellent chapters. John Goodall of Secure Decisions served as technical reviewer and was the best person on the planet to fill that role. My editor, Tyler Ortman, exceeded all of my expectations by actively researching security visualization and pointing out valuable extensions and ideas. Near the end of the process I found out that he had studied physics before turning to editing. I couldn’t have asked for a better editor. Bill Pollock, founder of No Starch Press, was also a pleasure to work with. He puts his heart and soul into his books and never rushed the timeline; instead he was focused on creating the best possible book. I wholeheartedly recommend No Starch Press to people considering writing security books. I can’t overstate the importance of support like they provide when writing a book.
What are some of the interesting facts you discovered while researching for this book?
Perhaps the most interesting insight is that most software developers and attackers do not seem to anticipate visual analysis. It’s the classic security through obscurity problem. With the right visualization you are essentially lifting the lid on a previously invisible file structure or type of network activity. For example, I was visually examining password protected files produced by a popular word processor and found that the text was encrypted, but images were not. With the visualization tool I was building you could see the images as plain as day in a matter of seconds. The same analysis would have been much harder, if not impossible, with a hex editor. I found the same issue arises regarding network activity. While at a hacker conference in Atlanta, one of the capture the flag participants said after seeing an early version of RUMINT, “we’ll need to change the rules of capture the flag, once tools like that become available.” I agree with him, visualization helps change the rules of the security game. They help reduce security through obscurity.
I also learned that the hacker community is an excellent environment for incubating new ideas. Every time I presented research to Defcon, Interz0ne, and Black Hat, I received invaluable feedback and support. I’d like to see more interaction between academia, industry, government, and the hacker community, we will all benefit.