Security visualization has been getting quite a lot of press in the past year. Does it mean that it's really become a mainstream practice?
I don't think so. There is a continuum of problems. A lot of people are still troubled with identifying the data they should collect. Once that is done, they are struggling with actually collecting it. In this realm, a lot of people are making the mistake to go and find data, instead of defining their use-cases and then identifying what data they need to address the use-cases. So, once the data is collected, people are struggling with what to do with it. A lot of people are using their data for investigations, from operations use-cases (e.g., system failures) to security (forensic investigations), etc. Only a minority is using their IT data to actually pro-actively monitor the environment.
People don't really understand their logs. They don't understand what logs to collect and when collected, they don't really know what's in them and what things mean. Many products are offering textual tools. Only a few added some visual aids. And if they added visual aids, they are very primitive: charts (pies, line charts, bar charts), dashboards that combine those charts, and static reports. To do an actual investigation and to gain situational overview of an environment, we need much richer visualizations and interactive ways to explore the data. Splunk, for example, offers interactive visualizations.
Based on your experience, what would your estimate be on the number of security professionals using security visualization nowadays?
Not very many. See also my answer from above: A lot of people don't even understand their data and do not have the data collected. Only those who satisfy both of these criteria are candidates to actually visualize their data. A number that might give an indication is that of the downloads of the DAVIX (davix.secviz.org) live CD. We built a CD that contains around 25 open source visualization tools, readily installed on the CD. We had over 800 downloads so far.
In your opinion, what are the areas in which security visualization is indispensable?
Any place that generates security data and needs to:
- Explore and discover the data available, either for forensic purposes or for analytical reasons
- Communicate the contents
- Gain situational awareness
- Have a way to make better decisions based on the data.