Cyber Security: Seeing Is Believing — and Understanding

Brian Wood Blog

We all know that the speed of light is much faster than the speed of sound; witness lightening and thunder.

Similarly, when it comes to information synthesis, it’s not hard to understand that the speed of visual pattern recognition is much faster than the speed of reading, correlating, and absorbing disparate data in multiple formats.

This is the future.

Summary article by Pam Baker in FierceBigData and original article by Wayne Rash in eWeek.

Emphasis in red added by me.

Brian Wood, VP Marketing


Visualization, predictive analytics top tools for cyber defenders

Cyber criminals are launching more sophisticated attacks every day but thanks to big data tools, they can no longer operate undetected. Wayne Rash at eWeek gives a compelling account of how cyber defenders are using big data visualization and predictive analytics not only to track attacks in real-time, but to watch the earliest movements towards building an attack in order to stop it before it gets much beyond the planning stage.

As Rash notes in his article, it all looks and sounds like something straight out of science fiction. But this is reality fed onto a screen as it is happening. The images are the fastest means for computers to transfer data to humans and the humans react to the threats almost as quickly as they receive the information.

We can see ‘missions’ against agencies,” J.R. Reagan, federal chief innovation officer for Deloitte & Touche, told eWeek. “We can see the DDoS [distributed denial of service] buildup; see commands to the botnet start up.”

Reagan also said in the eWeek interview “that by learning the relationships, cyber experts can find out what else a particular server has done and know what role it plays in the attack.”

Cyber defenders have become so good at using these tools that you would think they have been a long-lived component of the cyber security arsenal. Indeed, cyber defenders have been using them for a while now.

“We’ve seen where you can combine the physical world and the network world and do a geospatial fly-in,” said Reagan.

Some corporations are similarly making use of big data visualizations for a number of business goals, including data security. But few are maximizing what can be done with the technology. In some cases, this is due to budget concerns wherein companies try to get by with the minimum in visualization and predictive analytics.

But more often, it’s because companies have not yet been able to harness big data in ways that would give them something other than a skewed picture.

This is just the dawn of big data, and therefore there is still much to learn and master yet. It is incredibly fortunate, however, that cyber defenders were among the first to figure out how to use the tools.


Graphical Tools Help Security Experts Track Cyber-Attacks in Real Time

Cyber-sleuths use tools that appear to have come straight out of a science fiction movie in their quest to detect attacks in time to raise defensive shields.

The image on the screen shows a cyber-attack in progress, but it doesn’t look like the rows of reports that you usually expect to see as event data flows from intrusion prevention systems, next-generation firewalls and security reporting systems.

Instead, it looks like a fantastic image from something in the world of science fiction. Streams of data flow from the globe representing the Internet. Attack vectors are highlighted in red. You can watch the changes as the attacks progress.

To say that this technology represents a whole new way of looking at data is an understatement. Watching the big data visualizations from Japan’s National Institute of Information and Communications Technology (NICT) and its Daedalus Cyber-attack alert system may look like something from a science fiction movie, but it’s very real. Perhaps better, it represents one of the new ways researchers and cyber-security experts have found to show attacks in action.

As I had found when I attended a conference in Washington earlier in June, the world of cyber-security has changed. But how much it’s changed became far clearer when I talked to some of the leading experts in the field. Perhaps what has changed the most is that new ways have emerged that allow the vast quantity of data to be monitored in real time. This means that you can see an attack as it’s in the earliest stages—in time to take preventative action.

“We’ve managed in the past from rows and columns, then bar and pie charts,” explained J.R. Reagan, Federal Chief Innovation Officer for Deloitte & Touche in Arlington, Va. But Reagan noted that this isn’t very intuitive when it’s happening at breakneck speed: “It’s a post-digital problem.”

Reagan said that due to the limitations in a person’s ability to compare numbers and data in event logs, having other automated tools looking at an event as it happens means that the rapid understanding of the event is possible—especially in real time as things are actually happening.

“Maybe see the attack on a map, put it into more of a 3D spatial look, spider chart or ‘bread crumbs’ to see where it leads,” Reagan suggested. An effective way to visualize such an attack, he said, is seeing random dots clustered around servers showing geography and even IP addresses, such as what’s presented in Daedalus.

“You can see where bad transactions are coming from,” Reagan said, “We’ve seen where you can combine the physical world and the network world and do a geospatial fly-in.” Cyber-defense researchers are learning much from the casino gaming industry in Las Vegas, such as the need to put relationships to events and to the people behind the events, according to Reagan.

“You watch a person and who that person knows,” he said, adding that by learning about those relationships, specialists can start to see the threats ramp up, and the forces being gathered before a cyber-attack begins. “Can see ‘missions’ against agencies,” he said. “We can see the DDoS [distributed denial of service] buildup; see commands to the botnet start up.” He said that by learning the relationships, cyber experts can find out what else a particular server has done and know what role it plays in the attack.

The process uses predictive analytics,” said Eric De Roos, senior director of Business Technology for MicroStrategy in Tyson’s Corner, Va. “We can see events leading up to a DDoS attack. We’ll get a flood of requests from a huge number of machines, and we can predict that this is going to happen.”

De Roos says that when looking at events in real time, such as when observing a cyber-attack, it’s important to be able to change metrics and views dynamically to reflect what’s needed for a specific visualization at a particular time.

Unfortunately just because these advanced visualization tools are available doesn’t mean they’re being used. “We don’t have a lot of visualization specialists in the security world,” Reagan said. “Most security practitioners aren’t steeped in analytics, but this is an analytics game. We have to get good at that to solve the problem.”

What’s worse is that the size of the problem is going to continue to grow. Cyber-criminals aren’t letting grass grow under their feet either. Attacks continue to get more sophisticated, the attackers learn to employ their own advanced techniques, and the rewards for cyber-crime continue to rise.

Because the nature of attacks has changed, the need is already upon us to harness the analytic power that’s available through the use of big data to fight off the attacks, to find out where the attackers are and to neutralize them. As one cyber-security specialist said to me recently, “We have to be right every time; they only have to be right once.”

Fortunately, by using advanced analytics and visualization, cyber-defenders can help ensure that they’re right every time.