How To Create An Integrated Visualization For A Network Security System (For A Free Download)



Similar documents
Using Extensible Metadata Definitions to Create a Vendor-Independent SIEM System

SIEM approach for a higher level of IT security in enterprise networks

Comparing Microsoft SQL Server 2005 Replication and DataXtend Remote Edition for Mobile and Distributed Applications

- IF-MAP Research Projects and Open Source Software

Managing Large Imagery Databases via the Web

Microsoft SQL Server for Oracle DBAs Course 40045; 4 Days, Instructor-led

Online Transaction Processing in SQL Server 2008

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

PARTNER INTEGRATION GUIDE. Edition 1.0

The Complete Performance Solution for Microsoft SQL Server

Anomaly Management using Complex Event Processing. Bastian Hoßbach and Bernhard Seeger

Case Study: Real-time Analytics With Druid. Salil Kalia, Tech Lead, TO THE NEW Digital

SolarWinds Certified Professional. Exam Preparation Guide

How To Virtualize A Storage Area Network (San) With Virtualization

Visualizing a Neo4j Graph Database with KeyLines

WSO2 Message Broker. Scalable persistent Messaging System

HP A-IMC Firewall Manager

Introduction. Interoperability & Tools Group. Existing Network Packet Capture Tools. Challenges for existing tools. Microsoft Message Analyzer

Server Manager Performance Monitor. Server Manager Diagnostics Page. . Information. . Audit Success. . Audit Failure

RSA SecurID Ready Implementation Guide

Business Intelligence. A Presentation of the Current Lead Solutions and a Comparative Analysis of the Main Providers

IF-MAP Use Cases: Real-Time CMDB, and More

Microsoft Enterprise Search for IT Professionals Course 10802A; 3 Days, Instructor-led

Cyber Security Services: Data Loss Prevention Monitoring Overview

Oracle Database 10g: Building GIS Applications Using the Oracle Spatial Network Data Model. An Oracle Technical White Paper May 2005

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

McAfee Security. Management Client

Project management integrated into Outlook

Brocade Virtual Traffic Manager and Microsoft IIS Deployment Guide

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

SQL Server 2008 Performance and Scale

GEOG 482/582 : GIS Data Management. Lesson 10: Enterprise GIS Data Management Strategies GEOG 482/582 / My Course / University of Washington

Cyber Situational Awareness for Enterprise Security

Developing Microsoft SharePoint Server 2013 Advanced Solutions

Zenoss Service Dynamics Impact and Event Management Installation and Administration

Gephi Tutorial Quick Start

ETL-EXTRACT, TRANSFORM & LOAD TESTING

EMS. Trap Collection Active Alarm Alarms sent by & SMS. Location, status and serial numbers of all assets can be managed and exported

SharePoint 2010 Interview Questions-Architect

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Visualizing an OrientDB Graph Database with KeyLines

... Introduction... 17

SAP HANA - Main Memory Technology: A Challenge for Development of Business Applications. Jürgen Primsch, SAP AG July 2011

Migration Best Practices for OpenSSO 8 and SAM 7.1 deployments O R A C L E W H I T E P A P E R M A R C H 2015

uncommon thinking ORACLE BUSINESS INTELLIGENCE ENTERPRISE EDITION ONSITE TRAINING OUTLINES

How To Create A Replica In A Database On A Microsoft Powerbook (Ahem) On A Linux Server (A.K.A.A)

A viable SIEM approach for Android

This course will also teach how to create various kinds of dashboards using Reporting Services.

April 8th - 10th, 2014 LUG14 LUG14. Lustre Log Analyzer. Kalpak Shah. DataDirect Networks. ddn.com DataDirect Networks. All Rights Reserved.

InfiniteGraph: The Distributed Graph Database

VMware vrealize Operations for Horizon Administration

Hyperoo 2 User Guide. Hyperoo 2 User Guide

How To Use Syntheticys User Management On A Pc Or Mac Or Macbook Powerbook (For Mac) On A Computer Or Mac (For Pc Or Pc) On Your Computer Or Ipa (For Ipa) On An Pc Or Ipad

Intelligent Network Management System. Comprehensive Network Visibility and Management for Wireless and Fixed Networks

So today we shall continue our discussion on the search engines and web crawlers. (Refer Slide Time: 01:02)

SQL Server Training Course Content

Availability Digest. Raima s High-Availability Embedded Database December 2011

Integrity 10. Curriculum Guide

automates system administration for homogeneous and heterogeneous networks

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Undergraduate Academic Affairs \ Student Affairs IT Services. VPN and Remote Desktop Access from a Windows 7 PC

Best Practices for Database Security

Principles and characteristics of distributed systems and environments

multiple placeholders bound to one definition, 158 page approval not match author/editor rights, 157 problems with, 156 troubleshooting,

BB2798 How Playtech uses predictive analytics to prevent business outages

Fast Innovation requires Fast IT

Developing ASP.NET MVC 4 Web Applications

VERIPATROL Mobile User Guide

Situational Awareness Through Network Visualization

Big Data Visualization with JReport

Developing Microsoft SharePoint Server 2013 Advanced Solutions MOC 20489

MS-40074: Microsoft SQL Server 2014 for Oracle DBAs

Middleware support for the Internet of Things

João Diogo Almeida Premier Field Engineer Microsoft Corporation

Industrial Automation - The Importance of Network Management Software

Report on Project: Advanced System Monitoring for the Parallel Tools Platform (PTP)

Crack Open Your Operational Database. Jamie Martin September 24th, 2013

WINDOWS AZURE SQL REPORTING

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Izenda & SQL Server Reporting Services

ONOS Open Network Operating System

A New Perspective on Protecting Critical Networks from Attack:

Social Media in the Process Automation Industry

WebSphere Business Monitor

Security White Paper The Goverlan Solution

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

mframe Software Development Platform KEY FEATURES

Mind Q Systems Private Limited

An Oracle White Paper October Oracle Data Integrator 12c New Features Overview

About Network Data Collector

Oracle JRockit Mission Control Overview

SolidStore benefits: SolidStore file system

Transcription:

Integrated Visualization of Network Security Metadata from Heterogeneous Data Sources Bastian Hellmann Trust@HsH Research Group University of Applied Sciences and Arts in Hanover July 13th 2015 GraMSec 2015 Verona, Italy Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 1 / 15

Motivation Problem in Network Security Typical networks consist of various components like user endpoints, network security devices, services,.... Information is not shared among those components. Thus, an overview of whats going on is difficult. Exemplary Use-Cases Detect combinations of failed login attempts on multiple services by the same user. Find the sources of the attack. Trace the way the attack moved in the network. React fast by shutting down accounts or locking out devices. Our Contribution Design and implement an integrated visualization, that works with data from various sources, and helps to detect and react to such attacks. Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 2 / 15

Requirements Real-Time Monitoring Acquire knowledge before it is outdated! Allows for faster reactions after detection of abnormal behavior Data Integration Combine information and knowledge from arbitrary components! Allows to combine knowledge Retrospective Analysis Preserve historical course of data and provide means to navigate in time! Events that led to a specific state can be retracted Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 3 / 15

Integration of Data Sources Types of data interesting for network security Physical and logical topology Configuration of devices & services State Behavior Our approach Use IF-MAP protocol as the foundation (! next slides) Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 4 / 15

Interface for Metadata Access Points (IF-MAP) What is it? Open specification by the Trusted Computing Group Goal: allow exchanging information between arbitrary network components Data is defined in an extensible way and not bound to a domain Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 5 / 15

Proposed Architecture Visualization Data Processing Analysis IF-MAP MAP-Server Persistence Logfile / Syslog IO-Framework NAC / VPN Flow Controller Collectors and Controllers (N)IDS Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 6 / 15

Application and Persistence Level Concepts Enhancements to IF-MAP Persistence of IF-MAP data, as the MAP server only holds the current state Continuous recording Preserve the changes (not only snapshots) as the MAP server receives them State and change queries Allow to query for snapshots, i.e. the complete graph at a given time Allow to query for the changes (delta) between two timestamps Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 7 / 15

Visualization Requirements and Concepts I Representing the data model IF-MAP forms a graph with nodes (identifier) and edges (links) and information attached to them Thus can be rendered with standard graph rendering techniques and layouts Publisher distinction The source (i.e. the MAP client measuring the data) of metadata needs to be transparent to the user Use the IF-MAP publisher-id to distinct between metadata from different clients (e.g. by coloring) Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 8 / 15

Visualization Requirements and Concepts II History navigation Navigation via three modes: live view, history view, delta view Selection of timestamps via slider and/or forward-backward-buttons Search Functionality and Filtering Allow the user to search or filter the graph data, to pinpoint a single node or a selection of nodes with similar features Search results can either be highlighted or colored differently as non-matching nodes Non-matching nodes also can be shown translucent, to retain the overall structure Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 9 / 15

VisITMeta Application General information Research project, funded by German Ministry for Research and Education Released as open-source software 1 Implementation of all previous concepts Offers additional features like motion control (LeapMotion) 1 https://github.com/trustathsh/visitmeta Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 10 / 15

Screenshot (v0.4.2) Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 11 / 15

Specifics of IF-MAP Visualization Characteristics of IF-MAP graphs Two kinds of nodes: Identifier and Metadata Can and should be handled differently when calculating layouts Example: Adapted Bipartite Layout Identifier in columns 2 and 4, Metadata in columns 1, 3 and 5 Emphasizes the difference between link and single metadata Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 12 / 15

Results Homogenization IF-MAP used for acquisition and homogenization of different data sources Components need only be enabled to publish IF-MAP information Data context Implicit connection of different data like network addresses, user credentials, services and high-level events Interoperability VisITMeta as a software is usable in every IF-MAP-based environment as it uses standard mechanisms to fetch the data Many MAP clients and thus a good amount of data sources already available Continuous recording and retrospective analysis Changes are persisted as they are processed by the MAP server They can then be reconstructed step by step Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 13 / 15

Indentified Challenges Visual Scalability Big graphs get cluttered really quick Techniques to reduce the size of the graph have to be added, like Level of Detail Visual dynamics Frequent changes in the network lead to many changes in the visualization E.g. do not show low-level data and concentrate instead on high-level abstractions Recording of all data Mechanism to fetch data from the MAP server has a shortcoming implied from IF-MAP itself: only connected graphs can be observed via a subscription IF-MAP does not offer a mechanism to get to know if there are new and disconnected graphs. Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 14 / 15

Conclusion Summary Requirements for data integration including model and requirements for visualizing the data IF-MAP as foundation Graph-based visualization with regards to IF-MAP structure Features like history navigation and filtering Future Work Address the identified challenges Using data persistence for analysis Bastian Hellmann (Trust@HsH) GraMSec 2015 July 13th 2015 15 / 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information