~SEcurity staff are overwhelmed with data. Wayne Rash says we must use visualisation tools
The image on the screen (see below) shows a cyber-attack in progress, but it doesn’t look like the rows of reports that you usually expect to see as event data flows from intrusion prevention systems, next-generation firewalls and security reporting systems.
Instead, it looks like a fantastic image from something in the world of science fiction. Streams of data flow from the globe representing the Internet. Attack vectors are highlighted in red. You can watch the changes as the attacks progress.
Cyber attacks in graphical form
To say that this technology represents a whole new way of looking at data is an understatement. Watching the big data visualisations from Japan’s National Institute of Information and Communications Technology (NICT) and its Daedalus Cyber-attack alert system may look like something from a movie, but it’s very real. Perhaps better, it represents one of the new ways researchers and cyber-security experts have found to show attacks in action.
As I had found when I attended a conference in Washington earlier in June, the world of cyber-security has changed. But how much it’s changed became far clearer when I talked to some of the leading experts in the field. Perhaps what has changed the most is that new ways have emerged that allow the vast quantity of data to be monitored in real time. This means that you can see an attack as it’s in the earliest stages—in time to take preventative action.
“We’ve managed in the past from rows and columns, then bar and pie charts,” explained J.R. Reagan, Federal Chief Innovation Officer for Deloitte & Touche in Arlington, Virginia. But Reagan noted that this isn’t very intuitive when it’s happening at breakneck speed: “It’s a post-digital problem.”
A post-digital problem
Reagan said that due to the limitations in a person’s ability to compare numbers and data in event logs, having other automated tools looking at an event as it happens means that the rapid understanding of the event is possible—especially in real time as things are actually happening.
“Maybe see the attack on a map, put it into more of a 3D spatial look, spider chart or ‘bread crumbs’ to see where it leads,” Reagan suggested. An effective way to visualise such an attack, he said, is seeing random dots clustered around servers showing geography and even IP addresses, very like what’s presented in Daedalus.
“You can see where bad transactions are coming from,” Reagan said, “We’ve seen where you can combine the physical world and the network world and do a geospatial fly-in.” Cyber-defense researchers are learning much from the casino gaming industry in Las Vegas, such as the need to put relationships to events and to the people behind the events, according to Reagan.
“You watch a person and who that person knows,” he said, adding that by learning about those relationships, specialists can start to see the threats ramp up, and the forces being gathered before a cyber-attack begins. “We can see ‘missions’ against agencies,” he said. “We can see the DDoS [distributed denial of service] buildup; see commands to the botnet start up.” He said that by learning the relationships, cyber experts can find out what else a particular server has done and know what role it plays in the attack.
“The process uses predictive analytics,” said Eric De Roos, senior director of Business Technology for MicroStrategy in Tyson’s Corner, Virginia. “We can see events leading up to a DDoS attack. We’ll get a flood of requests from a huge number of machines, and we can predict that this is going to happen.”
De Roos said that when looking at events in real time, such as when observing a cyber-attack, it’s important to be able to change metrics and views dynamically to reflect what’s needed for a specific visualization at a particular time.
Unfortunately just because these advanced visualisation tools are available doesn’t mean they’re being used. “We don’t have a lot of visualisation specialists in the security world,” Reagan said. “Most security practitioners aren’t steeped in analytics, but this is an analytics game. We have to get good at that to solve the problem.”
What’s worse is that the size of the problem is going to continue to expand. Cyber-criminals aren’t letting grass grow under their feet. Attacks continue to get more sophisticated, the attackers learn to employ their own advanced techniques, and the rewards for cyber-crime continue to rise.
Because the nature of attcks has changed, the need is already upon us to harness the analytic power that’s available through the use of big data to fight off the attacks, to find out where the attackers are and to neutralise them. As one cyber-security specialist said to me recently, “We have to be right every time; they only have to be right once.”
Fortunately, by using advanced analytics and visualization, cyber-defenders can help ensure that they’re right every time.
Images in this article come from a video interview on DigInfo.TV
What do you know about Internet security? Find out with our quiz!
Originally published on eWeek.