8 Jul 2012

Security Visualization

0 comments Permalink Sunday, July 08, 2012
Security threat data is complex. In most environments there is always a constant stream of new threat data. Traditional security solutions have their own way of classifying and presenting this data. Firewalls tell you what’s been allowed in and what has been blocked. IPS/IDS solutions will rank threats into 3 or 4 levels of severity. Security Information and Event Management systems (SIEMs) will attempt to bring some sense to these fragments of data by correlating similar events and providing you a summarised version of the attack. Reporting on this data generally means reviewing a series of rows and columns, grouped by event severity. To interpret the data you still need to watch these rows and columns for the important events and then analyse and respond to them. Blink and you will miss something important.
Packetloop Main Visualization
All this data is really showing you, if you see it before it rolls off the screen, is that an event occurred. It doesn’t tell you anything detailed about the event, nothing about the actual cause of the incident. At a glance, you can’t decide if you need to be more concerned or whether you are still secure. You can’t supply this data to your Board or executives to support your decisions because it doesn’t tell you anything about the trends. Is today different to yesterday or is this week different to last week? What deviates from normal?What sort of data do you want to use to inform your Board?

In developing Packetloop we wanted visualization to be at the heart of the platform, to provide context to help you interpret the data. To be able to glance at a screen and understand in an instant what is going on using simple visual cues, without having to spend time interpreting rows and columns of threat data. Instead of a spreadsheet style interface we believe our users will enjoy this.

Packetloop Main Visualization
The main visualization dominates the screen and the product will ship with the ability to toggle between line, stacked bar and bubble visualizations. If you’re blessed with a large display you extend the visualization full width or enter full screen mode which has been especially designed for data panels. The title bar gives you context and provides different high level information within the different views e.g Overview, Source, Destination, Attacks and Location. Data panels below the main visualization provide more details and trends. Drag the visualization left and right to navigate through time or use the calendar to set the date range you want to analyse. You can use your touchpad or mouse scroll wheel to zoom in and out from years to minutes instantly.

It is also important to represent graphically the more complex relationships in the data, the relationships that help you ascertain what the attacker did and what was accessed or stolen. Packetloop provides you with additional insight into the attack data including:

  • New Attacks - sources, destinations and attacks that have never been seen before.
  • Distinct Attacks - how many distinct destinations did a source attack, or how many distinct attacks did a source use against a destination.
  • Looped Attacks - identifying zero day attacks that were not previously detected when replaying packet captures.

We also view the Threat data through a series of different views staring with a high level Overview that can then be broken down into views by Source, Destination, Attack and Location. We can also provide additional context in relation to attacks such as the the use of anonymous proxies.


Where an attack physically originates from is increasingly important to track as this can be used to formulate high-level access and monitoring policies to deploy on your security devices that protect your assets. Packetloop can plot the location of attackers down to country and city, representing this on a global map, showing volume of attacks via different colours. This simple visualization provides a powerful yet easily understood snapshot.

Packetloop Locations Visualization

Packetloop is designed to help you establish a visual baseline for what is normal traffic. It allows you to view data from different angles or contexts and to zoom in and out of massive amounts of data. You can see the rates of change in data, and the deviations from your baseline. When you hover over the area of the visualization in question, a summary of the attack detail is provided without requiring further in depth analysis.

There is no point in storing Terabytes of data for future analysis, unless you are going to perform the analysis. Packetloop provides a comprehensive filtering capability that allows you to quickly trace an attack via any part of the conversation detail, linking different attributes together to refine the filter.

Packetloop Linked Filter
For example you could see quickly what hosts an attacker has accessed, and then you could identify one of these hosts, and establish whether anyone else had attacked it using the same vulnerability or other vulnerabilities in just a few clicks. The advanced filter capability also offers an intuitive search language that allows you to quickly construct searches for specific attributes in the packet capture data.

As we finalise the preparations for our Beta release, we will publish some more screenshots and videos of our visualizations that better explain what I have discussed above. With Packetloop, we aimed to create the Big Data Security Analytics platform that we would want to use. Hopefully you will be as excited as we are with what we’ve created!