Presentation is loading. Please wait.

Presentation is loading. Please wait.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Published byPhillip Hutchinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc."— Presentation transcript:

1 Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc. anita.damico@securedecisions. com 631-759-3909

2 2 WHAT DO CYBER DEFENDERS DO? HOW CAN VISUAL ANALYTICS HELP?

3 3 Incident response team activities (Killcrece, Alberts, CMU studies)  Reactive  Triggered by an event, such as an IDS alert  Examples: Reviewing log files, correlating alerts  Proactive  Prepare, protect and secure for future attacks  Examples: Prediction of upcoming attacks and techniques  Security Quality Management  IT services in support of general information security  Examples: Training, recovery planning, product evaluation Cognitive and decision analyses show: Very little effort on proactive

4 4 Interesting Activity Raw Data Suspicious Activity Events Incidents Problem Sets Visual analytics can help network defenders transform raw data into meaning

5 5 Triage analysis  Weed out false positives  Escalate suspicious activity for further analysis Escalation analysis  Analyze data over longer time than Triage  Incorporate multiple data sources (more than Triage) Correlation analysis  Look for patterns and trends  Assess similarity to related incidents – internal & external Incident response  Recommend, implement Courses of Action  Support law enforcement investigation Malware analysis  Reverse-engineer malware  Develop defenses against malware Forensic analysis  Collect and preserve evidence  Support law enforcement investigation Threat analysis  Characterize attackers: identification, modus operandi, motivation, location Vulnerability analysis  Identify and prioritize vulnerabilities  Manage remediation of vulnerabilities Sensor management  Develop signatures, tune sensors  Modify placement of sensors (from 2005 D’Amico & Whitley CTA, and other Secure Decisions decision analyses)

6 6 Mission impact analysis

7 7 Escalation, Correlation Comprehension Stages of Situational Awareness (SA) Perception Types of Analysis Triage, Vulnerability Threat, Response Projection Uses of Visualization ORIENT attention REPORT and EXPLAIN what has been observed EXPLORE data (for patterns, anomalies) PREDICT ForensicMalware Visualization should support all stages of SA, types of CND analysis, and uses

8 8 How do Alan Turner’s VA primitives apply? Perception Types of Analysis Triage, Vulnerability Escalation, Correlation Threat, Response ProjectionComprehension Turner’s Primitives ORIENT CHARACTERIZE QUANTIFY TEST DISCOVER ForensicMalware

9 9  Old way doesn’t work, and they know it  Never feel totally successful  Hard to estimate the level of effort needed  Not clear when they’re done How do cyber defenders differ from Alan’s users?

10 10 Coordinated attack to exfiltrate email Analysts think about data from perspective of attacker’s goals, methods, and timing. First instance of attacker’s appearance is an important marker. Attack Timeline CND analysts see the world in red and blue; They attend to timing and sequence

11 11 CYBER SECURITY VISUAL ANALYTICS CHALLENGES

12 12 Incomplete, inaccurate and ephemeral data Public Networks Missions/ Business Functions Mission -to- Network Mapping Adversaries disappear and re-appear, and can be co-located with friendlies. Wireless networks increase transitory nature of data. Defender Patch Status Dynamic Topology Sensor Location & Status Enterprise

13 13 Visual analytics is an unfulfilled promise in cyber operations  Failure to transition, to deliver – Lots of R&D; little operational deployment of visual analytics systems  “Lack of information” visualization and analytics – rare  Visual interface to security automation – rare  Process visualization – rare  Visual analytics to augment training – rare  Visual analytics to evaluate tactics – rare

14 imagine, create, deliver Visual analytics systems  Data import, normalization and aggregation  Non-viz features to reduce “tool time”  Importing, filtering “hot IPs”, authorized devices, and users  Automated report builders  Annotations and personal notes  Diverse media  Workstations, big-board, PDA, in-vehicle displays  Robust, secure, certifiable code base

15 15 Staying ahead of the adversary  How do we use visual analytics make the cyber defense process more proactive?  How do we enhance information sharing within an organization, and across organizations?  Portable, shareable datasets and visual analytics  Collaborative tools

16 16 Mapping network assets to organizational missions Need information and visual analytics to discover:  Vulnerabilities of organization’s highest-priority goals  Network assets that must be assured for continuity of mission-critical functions  Organizational impact of an attack, or of a defensive COA

17 17 Anita D’Amico Secure Decisions division of Applied Visions, Inc. anita.damico@securedecisions. com 631-759-3909

Download ppt "Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.

Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Copyright © 2012, SAS Institute Inc. All rights reserved. Cyber Security threats to Open Government Data Vishal Marria April 2014.

Copyright © 2012, SAS Institute Inc. All rights reserved. Cyber Security threats to Open Government Data Vishal Marria April 2014.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Information Security Policies and Standards

Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.

Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.
Topological Vulnerability Analysis

Topological Vulnerability Analysis
Test Organization and Management

Test Organization and Management
Thursday, January 23, 2014 10:00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.
Next-Generation IDS: A CEP Use Case in 10 Minutes 3rd Draft – November 8, 2006 2nd Event Processing Symposium Redwood Shores, California Tim Bass, CISSP.

Next-Generation IDS: A CEP Use Case in 10 Minutes 3rd Draft – November 8, nd Event Processing Symposium Redwood Shores, California Tim Bass, CISSP.

Similar presentations

Ads by Google