Cloud-based Log Analysis and Visualization

Transcription

1 Cloud-based Log Analysis and Visualization DeepSec 2010, Vienna, Austria mobile-166 My syslog Raffael Marty

2 Raffael (Raffy) Marty Chief Security Strategist and Product Splunk Manager ArcSight Intrusion Detection IBM Research IT Security PriceWaterhouse Coopers Applied Security Visualization Publisher: Addison Wesley (August, 2008) ISBN:

3 Agenda Introduction Visualization Tools Beaver Challenge Visualization in the Cloud The Cloud Visualization Use-Cases Visualization Visualization Resources 3

4 The Public Cloud IaaS - Infrastructure PaaS - Platform SaaS - Software LaaS - Logging What is really new and has changed? Raffael Marty 4

5 Visibility and Big Data Raffael Marty 5

6 Visibility Monitoring -Performance -Availability -Ephemeral Infrastructure Security IaaS - Similar to before PaaS - Lack of Infrastructure SaaS - Blind? -New Threats -New Vulnerabilities -Different Risk Distribution Application Instrumentation and Logging Raffael Marty 6

7 Big Data NoSQL Distributed data stores Distributed queues Map reduce ETL (Extract, Transform, Load)... Raffael Marty 7

8 Information Visualization Better tools and capabilities Across disciplines More instrumentation Dichotomies Raffael Marty 8

9 Open Your Eyes 9

10 Information Visualization? A picture is worth a thousand log records. Explore and Discover Inspire Answer a Question Pose a New Question Increase Efficiency Communicate Information Support Decisions 10

11 Visualization Tools 11

12 Reporting vs. Visualization Reporting Libraries -HighCharts -Flot -Google Chart API -Open Flash Chart -HTML5 Visualization Libraries -TheJIT -Graphael -Protovis -ProcessingJS -Flare JavaScript vs. Flash vs. XYZ 12

13 HighCharts Click-Through On load -near real-time updates Zoom AJAX data input via JSON 13

14 Google Visualization API JavaScript Based on DataTables() Many graphs Playground

15 ProtoVis JavaScript based visualization library Charting Treemaps BoxPlots Parallel Coordinates etc. 15

16 TheJIT JavaScript InfoVis Toolkit Interactive Link Graphs 16

17 Processing Visualization library Java based Interactive (event handling) Number of libraries to -draw in OpenGL -read XML files -write PDF files Processing JS -JavaScript -HTML 5 Canvas -Web IDE

18 Data Visualization in the Cloud 18

19 LaaS - Log collection all data in one place Log storage and management index, storage, archive Extremely fast log search across all your data data source agnostic (no parsers) innovative Web shell API log access oauth authentication always on Benefits No installation Easy configuration No maintenance Great scalability 7x24 availability Pay as you go 19

20 AfterGlow Cloud Grapher Loggly JSON CSV DOT Graph 20

21 Visualization Use-Cases 21

22 Old Skewl Yesterday Today - Cloud 22

23 Traditional Style Yesterday Today - Cloud 23

24 The Analysis Approach Overview first Zoom Details on demand Principle by Ben Shneiderman 24

25 NetFlow Visualization Treemap Protovis.JS Size: Amount Brightness: Variance Color: Sensor Shows: Scans - bright spots Thanks to Chris Horsley 25

26 Firewall Treemap 26

27 Firewall Log Port Source IP Destination IP 27

28 IDS Signature Tuning Top signatures

29 Signatures Over Time

30 IDS Sig Tuning - Treemap Hierarchy: Source Destination Signature Number of Events Color: Service Size: Number of alerts 30

31 IDS Sig Tuning - Treemap Hierarchy: Source Destination Signature Number of Events Color: Priority Size: Number of alerts 31

32 IDS Sig Tuning - Treemap Hierarchy: Signature Source Service (Port) Color: Priority Size: Number of alerts 32

33 Visualization Resources 33

34 Share, discuss, challenge, and learn about security visualization. List: secviz.org/mailinglist 34

35 Applied Security Visualization Bridging the gap between security and visualization Hands-on, end to end examples Data processing and analysis Chapters Visualization Data Sources From Data to Graphs Perimeter Threat Compliance Insider Threat Visualization Tools Addison Wesley (August, 2008) ISBN:

36 about.me/raffy We are hiring! 36