Q&A: Security Visualization
by Mirko Zorz - Monday, 22 September 2008.
As chief security strategist and director of application product management, Raffael Marty is customer advocate and guardian - expert on all things security and log analysis at Splunk. Currently he uses his skills in data visualization, log management, intrusion detection, and compliance to solve problems and create solutions for Splunk customers. His passion for visualization is evident in the many presentations he gives at conferences around the world and his book: "Applied Security Visualization". In addition, Raffy is the author of AfterGlow, founder of the security visualization portal, and contributing author to a number of books on security and visualization.

Security visualization has been getting quite a lot of press in the past year. Does it mean that it's really become a mainstream practice?

I don't think so. There is a continuum of problems. A lot of people are still troubled with identifying the data they should collect. Once that is done, they are struggling with actually collecting it. In this realm, a lot of people are making the mistake to go and find data, instead of defining their use-cases and then identifying what data they need to address the use-cases. So, once the data is collected, people are struggling with what to do with it. A lot of people are using their data for investigations, from operations use-cases (e.g., system failures) to security (forensic investigations), etc. Only a minority is using their IT data to actually pro-actively monitor the environment.

People don't really understand their logs. They don't understand what logs to collect and when collected, they don't really know what's in them and what things mean. Many products are offering textual tools. Only a few added some visual aids. And if they added visual aids, they are very primitive: charts (pies, line charts, bar charts), dashboards that combine those charts, and static reports. To do an actual investigation and to gain situational overview of an environment, we need much richer visualizations and interactive ways to explore the data. Splunk, for example, offers interactive visualizations.

Based on your experience, what would your estimate be on the number of security professionals using security visualization nowadays?

Not very many. See also my answer from above: A lot of people don't even understand their data and do not have the data collected. Only those who satisfy both of these criteria are candidates to actually visualize their data. A number that might give an indication is that of the downloads of the DAVIX (davix.secviz.org) live CD. We built a CD that contains around 25 open source visualization tools, readily installed on the CD. We had over 800 downloads so far.

In your opinion, what are the areas in which security visualization is indispensable?

Any place that generates security data and needs to:
  • Explore and discover the data available, either for forensic purposes or for analytical reasons
  • Communicate the contents
  • Gain situational awareness
  • Have a way to make better decisions based on the data.
Each of these cases needs visualization to facilitate the process of understanding and managing the data. Actual use-cases encompass, for example: insider threat, compliance, and perimeter threat uses.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th