Customer Reviews

Applied Security Visualization

5 star:		(6)
4 star:		(3)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

Our publisher sent me a copy of Raffael Marty's Applied Security Visualization. This book is absolutely worth getting if you're designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They're useful far beyond security. The chapter I didn't like was the one on insiders, which I'll discuss in detail further in the review.

In the intro, the author accurately scopes the book to operational security visualization. The book is deeply applied: there's a tremendous number of graphs and the data which underlies them. Marty also lays out the challenge that most people know about either visualization or security, and sets out to introduce each to the other. In the New School of Information Security, Andrew and I talk about these sorts of dichotomies and the need to overcome them, and so I really liked how Marty called it out explicitly. One of the challenges of the book is that the first few chapters flip between their audiences. As long as readers understand that they're building foundations, it's not bad. For example, security folks can skim chapter 2, visualization people chapter 3.

Chapter 1, Visualization covers the whats and whys of visualization, and then delves into some of the theory underlying how to visualize. The only thing I'd change in chapter 1 is a more explicit mention of Tufte's small multiples idea. Chapter 2, Data Sources, lays out many of the types of data you might visualize. There's quite a bit of "run this command" and "this is what the output looks like," which will be more useful to visualization people than to security people. Chapter 3, Visually Representing Data covers the many types of graphs, their properties and when they're approprite. He goes from pie and bar charts to link graphs, maps and tree maps, and closes with a good section on choosing the right graph. I was a little surprised to see figure 3-12 be a little heavy on the data ink (a concept that Marty discusses in chapter 1) and I'm confused by the box for DNS traffic in figure 3-13. It seems that the median and average are both below the minimum size of the packets. These are really nits, it's a very good chapter. I wish more of the people who designed the interfaces I use regularly had read it. Chapter 4, From Data to Graphs covers exactly that: how to take data and get a graph from it. The chapter lays out six steps:

1. Define the problem
2. Assess Available Data (I'll come back to this)
3. Process Information
4. Visual Transformation
5. View Transformation
6. Interpret and Decide

There's also a list of tools for processing data, and some comparisons. Chapter 5, Visual Security Analysis covers reporting, historical analysis and real time analysis. He explains the difference, when you use each, and what tools to use for each. Chapter 6, Perimeter Threat covers visualization of traffic flows, firewalls, intrusion detection signature tuning, wireless, email and vulnerability data. Chapter 7, Compliance covers auditing, business process management, and risk management. Marty makes the assumption that you have a mature risk management process which produces numbers he can graph. I don't suppose that this book should go into a long digression on risk management, but I question the somewhat breezy assumption that you'll have numbers for risks.

I had two major problems with chapter 8, Insider Threat. The first is claims like "fewer than half (according to various studies) of various studies involve sophisticated technical means" (pg 387) and "Studies have found that a majority of subjects who stole information..." (pg 390) None of these studies are referenced or footnoted, and this in a book that footnotes a URL for sendmail. I believe those claims are wrong. Similarly, there's a bizarre assertion that insider threats are new (pg 373). I've been able to track down references to claims that 70% of security incidents come from insiders back to the early 1970s. My second problem is that having mis-characterized the problem, Marty presents a set of approaches which will send IT security scurrying around chasing chimeras such as "printing files with resume in the name." (This because a study claims that many insiders who commit information theft are looking for a new job. At least that study is cited.) I think the book would have been much stronger without this chapter, and suggest that you skip it or use it with a strongly questioning bias.

Chapter 9, Data Visualization Tools is a guided tour of file formats, free tools, open source libraries, and online and commercial tools. It's a great overview of the strengths and weaknesses of tools out there, and will save anyone a lot of time in finding a tool to meet various needs. The Live CD, Data Analysis and Visualization Linux can be booted on most any computer, and used to experiment with the tools described in chapter 9. I haven't played with it yet, and so can't review it.

I would have liked at least a nod to the value of comparative and baseline data from other organizations. I can see that that's a little philosophical for this book, but the reality is that security won't become a mature discipline until we share data. Some of the compliance and risk visualizations could be made much stronger by drawing on data from organizations like the Open Security Foundation's Data Loss DB or the Verizion Breaches Report.

Even in light of the criticism I've laid out, I learned a lot reading this book. I even wish that Marty had taken the time to look at non-operational concerns, like software development. I can see myself pulling this off the shelf again and again for chapters 3 and 4. This is a worthwhile book for anyone involved in Applied Security Visualization, and perhaps even anyone involved in other forms of technical visualization.

Applied Security Visualization (ASV) is a pioneering book in the emerging field of using visualization techniques to explore and represent data from a security perspective. Many security products - everything from intrusion detection systems, firewalls, SIM's, and AV software - offer methods for visualizing data they collect, but no single product has the ideal visualization interface (whatever that is). A main theme in ASV is to impart the reader with the knowledge and skills necessary to ask new questions about security data (such as a set of IDS event logs or application logs) and show the reader how to visually represent the answers to these questions. If a commercial interface has not been designed to visualize a data set in a particular way, ASV introduces tools and techniques to frequently make this possible. For example, common visualizations of firewall logs involve source and destination IP addresses and port numbers, but suppose that you want to create a link graph that involves source and destination IP addresses graphed against the TTL value in the IP header? The information in ASV makes this a snap.

At many points ASV deals with custom data parsing with invocations of clever one-line perl commands, and being a perl hacker myself, these examples are of particular interest.

The discussion in ASV is firmly grounded computer security, and many important security questions are raised along with motivating examples. For instance, a nice example is given for visualizing all outbound connections made from a laptop and differentiating these connections based on whether they are sent over the Tor network for strong anonymity. Additional examples include using visual techniques to detect outliers, combining multiple data sources, using visual aids to assist with regulatory compliance (by quickly conveying meaningful security data to auditors), and much more. One graphing type, invented by Ben Shneiderman, is the Treemap and several examples of its usage are presented. While Treemap graphs are perhaps not intuitively obvious, ASV makes a strong case for why they should be included within your visualization arsenal. A particularly good example is presented in Chapter 6 on using Treemap graphs to visualize vulnerability data provided by Nessus.

Although I'm not an expert in visualization, I have worked in the field of computer security for over ten years, and have written books on the subject (concentrating on intrusion detection systems and firewalls). I gave ASV five stars because it arms the reader with the knowledge required to produce custom visualizations that may not be addressed by any particular tool. This is much more powerful than presenting some specific software and associated (fixed) parser. Security is a process, and ASV provides a foundation for the effective inclusion of visualization techniques in the constant fight to secure computing systems and networks.

When security professionals are dealing with huge amounts of information, and who is not nowadays, correlation and filtering is not the easiest path (and sometimes enough) to discern what is going on. The in-depth analysis of security data and logs is a time consuming exercise, and security visualization (SecViz) extensively helps to focus on the relevant data and reduces the amount of work required to reach to the same conclusions. It is mandatory to add the tools and techniques associated to SecViz to your arsenal, as they are basically taking advantage of the capabilities we have as humans to visualize (and at the same time analyze) data. A clear example is the insider threat and related incidents, where tons of data sources are available.

The best sentence (unfortunately it is not an image ;) that describes SecViz comes from the author:
A picture is worth a thousand log entries.

This is a great book that joins two separate worlds, visualization and information security (infosec). The first chapter is an excellent introduction to the human perception system, its basic principles, and how we analyze, discern, and assimilate information. It is an eye opener for those new to the field. Chapter two is similar from an infosec perspective, and summarizes the main challenges and data sources, such as packet captures, traffic flows, and firewall, IDS/IPS, system, and application logs. The third chapter details different graph properties and chart types, including some open-source and online tools for chart and color selection. Although we (infosec pros) are familiarized with link graphs to represent relationships between botnet members or hosts, the book provides a whole set of charts for different purposes; one of the most useful types, and we are not very used too it in the security field, is treemaps. The chapter includes a really useful table to select the right graph based on the purpose of the analysis and the data available.

Then, the previous chapters are smoothly mixed together through a reference methodology that defines what is the problem to solve, and the process to manipulate the available data and generate a (or set of) graph(s) that allow gathering relevant conclusions and answers. The methodology is complemented with an introduction to the standard Unix-based text processing tools (grep, awk, Perl, etc). This methodology is later on applied, with a strong hands-on and how-to spirit, to an extensive set of common security use-cases, such as the perimeter threat, compliance, and the insider threat.

The perimeter chapter offers a deep insight into common attack scenarios, such as worms, DoS or anomaly detection, and operational tasks, like firewall log and ruleset analysis, IDS tuning, or vulnerability assessments. I could never forget how useful were SecViz techniques for anomaly detection on a huge DNS-related incident I was involved about 5 years ago. Thanks to the performance and statistical graphs we had available at that time, we were able to easily identify and solve a very complex and critical security incident.

When I saw this chapter included a wireless section I got really excited due to personal interest. However, I was disappointed as it was just a couple of pages. I think it could be extended to gather a whole set of useful information about complex wireless attacks and client and access points relationships, just by inspecting the different 802.11 management, control, and data frames, and even radio-frequency signals (from a spectrum analyzer). SecViz opens the door to a whole new wireless research area!

The compliance chapter offers a whole methodology to check and manage regulations, control frameworks, auditing, and risk monitoring and management from a visual perspective.

The same applies to the insider threat chapter, as it provides an impressive framework, not only visualization-based, to deal with malicious insiders. It is based on setting up scores for certain behaviors and activities (precursors), generating lists of suspicious candidates, and apply thresholds to accommodate exceptions. It also contains an extensive and directly applicable precursor list at the end to detect suspicious insider activities.

Finally, the book contains a whole chapter, full of references and comparison tables, of open-source and commercial visualization tools and libraries that allow the reader to select the appropriate tool for specific tasks and scenarios.

Although the book hands-on component is very significant, with lots of detailed examples of commands, scripts, and tool options to generate the different graphs, I would have liked to see a thorough usage of the how-to portions, as for some sections there are no specific details about how the graphs have been generated. The book layout makes it the perfect candidate to become a fully interactive technical book. I would suggest to add (for a 2nd edition ;)) practical sections to each chapter where the reader could reproduce all the steps discussed. The book CD is the perfect tool to provide the reader with all the (sanitized) data sets and logs used to generate the graphs, and even allow to include some challenges where the reader needs to analyze the data and answer some questions after generating the appropriate graphs.

To sum up, this book is a mandatory reference for anyone involved in the operational side of infosec, doing intrusion detection, incident handling, forensic analysis, etc, and it can be applied to both, historical analysis and real-time monitoring. Additionally, I found it useful too for auditing and pen-testing professionals, as it provides great tips to generate relevant and efficient graphs for the associated reports.

The accompanying DAVIX Live CD is an excellent resource to start applying the techniques covered throughout the book through open-source tools, SecViz is the Web portal to expand your knowledge on this topic, and AfterGlow is (one of) the most relevant SecViz open-source tools.

Last year I rated Greg Conti's Security Data Visualization as a five star book. I said that five star books 1) change the way I look at a problem, or properly introduce me to thinking about a problem for which I have little or no frame of reference; 2) have few or no technical errors; 3) make the material actionable; 4) include current research and reference outside sources; and 5) are enjoyable reads. Raffy Marty's Applied Security Visualization (ASV) scores well using these measures, and I recommend reading it.

Previous reviews offered lengthy analysis of the book, so I'll only add a few comments. I liked the author's careful organization of the book and the emphasis on embedding visualization in the reader's security work (p xiv). I appreciated many of his insights, such as the comment that tool developers usually don't know security visualization and security visualizers usually don't develop tools (p 7). I welcomed the realization that helpful security visualizations don't spring forth from the mind of the analyst beautiful and fully-formed, but may require iterations to communicate the desired information.

As far as presenting the material, I could tell how color really helped Greg Conti's book. I imagine it would have been exceptionally costly to print Raffy's 500+ page book in color, but the result is that some of the images are less engaging than they might have been. The color insert at the center of the book was a creative approach to this problem.

The only technical nit I could pick involved advice in ch 6 to send Snort output directly to a MySQL database. Using an intermediary like Barnyard is the preferred method in any installation beyond rudimentary testing.

I think ASV is a great book on security visualization, but it will also help general security practitioners. The author must gather useful data in order to visualize it, so that process should assist even those not seeing to render information graphically. To achieve a complete "visualization experience," I would bundle ASV with Andrew Jaquith's Security Metrics and a book on statistics. Inclusion of the DAVIX live CD was a great touch, since it allows users to immediately work with data and not worry about software installation. If you've already read Greg Conti's book, you'll still enjoy ASV; read Mr. Conti first then Mr. Marty.

I am taking a course on Information Security and this book contributes a good amount on information security. I like this book. At first when I started reading it, I was kinda confused a little but when I understand it, I started to see how using visualization is effective in analyzing and investigating any network attack. I guess you hath to be patient with in the first several chapters and learn the basics of visualization in order to fully grasp how visualization relates to information security.

The overall information gained from this book is priceless. Knowing where to look for your security information, and more importantly how to interperate that data. Raffael is quick to explain throughout the book the different places you would look for specific data. He explains the different logging details of different vendors, and why each vendor make the choices they did. He is also quick to point out how to expand reporting from the default, and most times, limited reporting of logs.

The information contained in this book is really great, and there is a ton of it, however, getting to the information you care about and need to know takes time and some serious determination. To put it bluntly, this book is extremely boring. It took me about twice the normal time I take to read a book this size. Partially due to the fact that there is so much detailed information and you will spend a lot of time flipping back and forth through to book to remember exactly why Raffael is doing something. If you are really into security, and you wish to know more about you network, security or really any general logged information, this book will guide you to it, and show you exactly what you want to know, or better yet, exactly what you don't know.

First, here is what my early endorsement for the book said (can be found on the inside cover of the book):

"Amazingly useful (and fun to read!) book that does justice to this somewhat esoteric subject - and this is coming from a long-time visualization skeptic! What is most impressive that this book is actually 'hands-on-useful," not conceptual, with examples usable by readers in their daily jobs. Chapter 8 on insiders is my favorite!"

What else do I think of the book, apart from the fact that it is awesome? :-)

First, I have to admit that I used to argue with Raffy about usefulness of visualization. I was burned by having to look at bad "visualization" tools and would take an ugly, meaningful table over an ugly, meaningless picture any day now. Thus, I was a visualization skeptic. Buy you know what? The book does justice to visualization really well, and it explains when to use it and when not to use it.

The book gives just the right amount of visualization theory, which is not onerous to read at all (unlike some other books), as well as other visualization basics. The fun starts at Chapter 4, where he covers the process from data to useful pictures. This actually explains why some visualization are useful and some are not; if you just jam data into a graphing program, there is a good chance that it would not be too useful. If you follow the ideas from Ch4, it is more likely to be useful.

Ch5 and 6 cover network data analysis: logs, packets, flows. This is what most people usually try to visualize; this book goes beyond "worms and scans" into nice visuals of email traffic, wireless and even vulnerability data (I found the latter slightly confusing). Ch7 covers "compliance", which, in this case, covers all sorts of fun things, from risk assessment to database log visualization. As I said, Ch8 is my favorite: I agree that insider tracking MAY be the area where visualization tools and approaches beat others. In Ch9, the book covers a few visualization tools; obviously, including the author's AfterGlow.

So, to summarize, get the book if you have any connection to security AND data analysis. In fact, it is very likely that if you are doing security, you'd have to do data analysis at some point and so will benefit from reading the book. And, yes, it does come with a CD full of visualization tools (DAVIX).

Raffael Marty's APPLIED SECURITY VISUALIZATION comes from a leading network security visualization expert who reviews all the concepts, techniques and tools needed to use visualization in network processes. From understanding data sources and choosing between graphs and techniques for IT data to auditing results and comparing tools, this is a fine recommendation for an advanced computer collection strong in security and includes a live CD Data Analysis and Visualization Linux tool, as well.

Marty explains how to analyse computer security logs using visualisation. The problem is that the logs can, and in fact usually do, become voluminous. You, the sysadmin, then have the uneviable task of manually plodding thru megabytes of text in a log file, looking for possible cracker probes or even actual successful intrusions. As Marty points out, if you can somehow display the data in a concise visual format, then you can take advantage of the high bandwidth of the human eye and the wetware pattern recognition that it is connected to in the brain.

So what display methods are there? Well, the text goes over principles known to graphics artists, but perhaps not as well bruited amongst sysadmins. Basically, you have a two dimensional area, like a computer screen, in which to show data. By judicious use of colour, shape and movement [and some other means] you can extend the effective dimensionality of the graph.

The book talks about various graphs. Describing the limitations of the simple pie, bar and line graphs. More versatile are the scatterplot and cluster graph. The latter lets you show a "graph", in another meaning of the latter word as a connected [perhaps via directed arcs] set of nodes.

The example data are drawn from typical internet logs, like those output by a packet sniffer or by a web or mail server. The logs look at different levels of the Internet Protocol stack. The web and mail server logs sit at the application layer.

Also useful is Marty's survey of open source and commercial plotting packages. The book's CD has a collection of the former. You should consider whether an existing package is suitable for your needs. Much quicker to adapt one, than to code a graphics program from scratch.