In your opinion, what are the areas in which security visualization is indispensable?

Any place that generates security data and needs to:

• Explore and discover the data available, either for forensic purposes or for analytical reasons
• Communicate the contents
• Gain situational awareness
• Have a way to make better decisions based on the data.

Each of these cases needs visualization to facilitate the process of understanding and managing the data. Actual use-cases encompass, for example: insider threat, compliance, and perimeter threat uses.

What are the security visualization tools that you personally use?

Unfortunately, there is no one tool that would satisfy all of my needs. To have the most flexibility, I built my own tool called AfterGlow to address a set of use-cases. The tool helps to generate link graphs and gives the user a lot of freedom in doing so. The second most used tool is a treemap visualization tool called Treemap.


What kind of development can we expect in the upcoming versions of security visualization tools? What new features would you like to see?

I hope to see some more visualization tools in the close future. If I could write a wish list, it would have the following content:

• Highly interactive
• Linked views and dynamic queries, i.e., there are multiple views that show the same data, but with different graphs. If a selection is made on one chart, the other chart is automatically updated.
• Highly scalable
• Standardized interfaces for data acquisition and no need for built-in parsers. (Parsing should be dealt with prior to getting the data into the tool)
• A rich set of visual displays and graphs.

How long did it take you to write "Applied Security Visualization" and what was it like? Any considerable difficulties?

It took me 2 years from the first contact with the publisher about the topic to the published book. I wrote a blog entry about the process. The biggest challenge was that I had at least two chapters that I didn't really know how to go about visualizing the topic, namely insider threat and compliance. It took me a significant amount of time to do all the research for those topics and write up a cohesive process. Interestingly enough, a lot of reviewers like the insider threat chapter the best.

Another problem that I encountered every now and then is that I didn't have access to a lot of data to visualize. Especially, again for compliance and insider threat, I didn't have real data sets to work with.