Information security has traditionally been one of the areas of technology that can most benefit from the intelligence derived from data visualization. Organizations produce a lot of data that is relevant to information security professionals but effective use of that information has long been a struggle in the industry. There have been various attempts at solving the problem, with security information and event management (SIEM) systems being the most widely deployed, but they have all suffered from a lack of good data visualization capabilities, which we believe is key to understanding large amounts of data. SIEM-like solutions have generally been good at collecting data and providing query capabilities, but they all (with perhaps AccelOps as the most effective at data dashboards and visualization) have been pretty poor at providing data visualization.
We thought it might be fun to turn Tableau loose on some information security data so we’ll do some posts that explore how a data viz tool such as Tableau might help information security analysts derive actionable information from the mountains of data they sift through (If you have data sets we can use for this, we’d love to get our hands on them).
Our first post along those lines is something quite simple. We have a Palo Alto Networks firewall that also sends logs to a Splunk system (more use cases of Splunk to come later). The firewall can show top applications used on a network over time, but not in graphical form. Don’t get us wrong, the Palo Alto firewall is a standout when it comes to quick access to useful information, and puts other vendors to shame in this regard, but it generally isn’t very effective at displaying data graphically, so we took all of our firewall logs for most of June, exported the data out of Splunk in raw log format, modified the raw logs into a CSV file, and then pulled the resulting CSV into Tableau.
Here is a quick graph of the top ten applications used on our network throughout the month of June. It was simple to create and could be useful in spotting trends – especially if we ran the same graph for potentially riskier applications such as SSH, tunneling apps, etc.