j-j.co.za
Sharing thoughts and ideas on business, security and photographyVisualisation of time based attacks on DMZ (videos)
Posted on August 24, 2014Visualisation of two weeks of IPS data
Critical and high significant IPS events detected on a public facing Palto Alto device, visualised using Microsoft Excel Power Map for a period in November and December 2013.
The data is taken from daily detection summaries so although it covers a nearly two-week period has 24 hour time resolutions.
The attacks are differentiated between Spyware and Vulnerability.
Note the fairly constant levels of vulnerability attacks from China, Turkey & Indonesia.
The practical application of such a visualisation in detecting or preventing attacks is limited, however, it provides an effective mechanism to explain the level of attack (directed and random) against the organisation on a pretty much constant basis.
Visualisation of 24 hours of IPS data
Critical and high significant IPS events detected on a public facing Palto Alto device, visualised using Microsoft Excel Power Map for a 24 hour period on the 10th and 11th December 2013.
The source data is per event detected over that 24 hour period.
The attacks are differentiated between Spyware and Vulnerability.
The video shows two types of visualisation, first a “phased decay” where the attack is plotted and then fades away if not detected. This shows the attacks coming and going across the globe with the exception of China which is fairly constant source of attack.
The second segment shows a continuous growth in the sizes of the attack bubbles over the period. This illustrates the overall relative number of attacks from the various sources.
Note the main sources of vulnerability attacks being China, Turkey, Argentina & Indonesia.
The practical application of such a visualisation in detecting or preventing attacks is limited, however, it provides an effective mechanism to explain the level of attack (directed and random) against the organisation on a pretty much constant basis.
Visualising Security Data : SCCM patching traffic flows
Posted on March 03, 2014I have been experimenting a little recently with visualisation of security data.
We have had some challenges with SCCM and needing to understand which clients were connecting to which servers, where and why. This data seemed very hard to come by and after some discussions with some helpful Microsoft South Africa folk the service provider pulled the IIS logs from most of our SCCM Primary Servers and the Distribution Points.
I then added in a Destination column (being the server from which the log was pulled) and combined the logs from all of the servers (6 Primary and 6 Distribution). In MS Access I then summarised the data by source and destination pairs, providing 13952 connections. This was exported as a CSV and headings added in using Notepad (Gephi wouldn’t read the data file without headings named to its liking).
The data was then loaded into Gephi as edge data. I then searched for each of the 12 servers in the node table, added in a Label, changed the colour and size (Red 30 for Primary Blue 20 for secondary), selected the Force Atlas option and let it plot my data. The 13 546 nodes and 113952 were then plotted providing the graph below (when exported as PDF).
The graph was somewhat unexpected in that I did not foresee so many of the workstations being served from Primary servers nor so many devices receiving data from multiple servers. A few of the DP’s (top and bottom of screen) clearly are not serving the numbers of workstations we would expect and need deeper investigation.
While Excel cross tabs and more detailed access queries provide more detailed insight into what is going on this visualisation very quickly demonstrates a very different picture to which the service provider running the SCCM infrastructure had been describing.
Have you done anything similar? Please do share.
Map of SCCM links using Gephi
Download the PDF version here : map of sccm v2
What people say
Close block