There are many ways to visualize raw data in graphical form. This blog entry will consider network topology visualization, trust relationship graphing and security event analysis. We will use a combination of Tenable products to procure the event and vulnerability data, the Tenable 3D Tool and AfterGlow.
For viewing how network components are connected, Tenable's 3D Tool can use the traceroute data collected by one or more Nessus scanners. The 3D Tool connects to the Security Center where all topology data is stored.
For large enterprise networks, attempting to place all of the nodes on a single 2D graph can be very complicated. By representing the same data in 3D, analysis of how networks are connected can be more easily understood. Below is a screen shot of such a topology as viewed in the 3D Tool.
All nodes are connected to a router, and all routers are placed on a helix. This type of view lets users see which routers have more hosts on them. It also lets users see how the routers are connected to each other.
Previously, Tenable's Lightning Console used a 2D display to show the topology as shown below:
This "hub and spoke" view is still useful, but had limitations in the number of nodes that can be displayed at one time. Viewing this data in 3D is more efficient than working with a 2D model.
Afterglow - Trust Relationships with Passive Vulnerability Scanner
The Passive Vulnerability Scanner (PVS) can detect when a certain host connects to another host at least once. For example, consider this report from a PVS:
192.168.20.199|unknown (22/tcp)|3|Security Note|192.168.20.199 -> 192.168.20.200:22
192.168.20.199|unknown (37/tcp)|3|Security Note|192.168.20.199 -> 0.0.0.0:37
The first line says that host 192.168.20.199 connects to 192.168.20.200 on port 22. The second line says that the same host connects to 0.0.0.0 on port 37 (time). The IP 0.0.0.0 represents a destination "outside" of the PVS's immediate network, i.e., someplace on the Internet.
These logs are "permanent" in that if the PVS sees a connection, it adds this to the database. For a realtime understanding of what the PVS can generate, read this blog entry which details the type of alerts that can be generated on the fly.
Using the the Security Center's ability to save queries as a .csv spread sheet file, it is possible to create an AfterGlow image of these trust relationships. Below is a screen shot of small number of hosts which "connect" to each other:
The nodes that have more "destinations" (such as 10.10.131.37 in the lower right) are used by many remote clients. For this rendering, the center location is a "null" node that connects disparate nodes to a central place. If a more complete PVS data set were uses, the 0.0.0.0 node would have been a common destination for everyone, as this represents an Internet destination.
Knowing where your clients go on the internal network can help identify critical internal systems and systems that have sensitive data.
AfterGlow - ICMP Flood
Sometimes 2D visualization doesn't shed light or offer insight to what is going on. Consider this example. An ICMP flood is observed on a large enterprise network with the Log Correlation Engine (LCE):
Using the Security Center to extract a very large sample of records in the "spike" of ICMP traffic, AfterGlow generates the following type of display:
There are so many nodes on the graph that it is virtually unreadable. This is not any fault of AfterGlow or the underlying Graphviz rendering engine. It's just that attempting to display more than 10,000 unique IP addresses on a bitmap becomes very crowded. If you look closely, you can see IP addresses in there. The black IPs are the "internet" and the yellow IPs was our network. Basically, there are a lot of IP addresses sending ICMP traffic to a lot of our network.
Also, in this case, we used the wrong tool to try and understand what is going on. Consider a simple list of "Top IP Addresses" for the same ICMP flood data (with our network IP addresses obscured):
Most of the ICMP traffic came from one host. What we ended up graphing out in AfterGlow was all of the background ICMP traffic along with the actual ICMP flood. The point of this example is to always keep in mind what you are graphing.
AfterGlow - Port Scan Example
For the last example, we'd like to see if we can correlated pairs of "sources" and "destinations" for port scans. The PVS can detect when an internal system begins port scanning. We could have used Snort, Tipping Point, or any other sort of log data. With the Log Correlation Engine, five days of port scan events graph out this way on a large demo network:
It would be interesting to use the Security Center and ask it to summarize the top IP addresses involved in this traffic. However, this would not show the real distribution of a host that may have scanned 50 unique targets once as compared to a host scanning a single host 50 times. Visualizing this data with AfterGlow generates the following image:
The external "Yellow" hosts are actually from our test network. All of the nodes in the center are target nodes for the port scans. What this graph shows is hosts that have a large number of unique targets. In the lower left of this display, several nodes have scanned several dozen unique targets whereas, there are many other port scan sources that only targeted one host.
Working With AfterGlow
To create the above displays, data was downloaded from the Security Center as comma separated variables. It was then sanitized (i.e. replacing certain live IP addresses with something else). Lastly, the data was modified from the .csv format to something that AfterGlow can consume. The following PERL script can be used to convert a .csv file from the Security Center that listed IDS or Log events:
$line = <FH>;
$line = $_;
#$line =~ s/xxx/yyy/g;
$line =~ s/\"//g;
@stuff = split(",",$line);
print WH ("$stuff,$stuff\n");
It takes a file named source.csv and creates afterglow.csv. The new file will simply have the source IP and the destination IP on the same line separated by a comma. On the commented out line, the 'xxx' and 'yyy' could be replaced with various octets to obscure your IP network ranges. For example, if you wanted to replace all IP addresses that started with 10.10 to be 20.20, you would use a statement like:
$line =~ s/^10\.10\./20.20/g;
Please refer to the AfterGlow web site for more information on how to create these sorts of graphs.
For more info
The Tenable 3D Tool is available for the Security Center and can visualization topologies, IP vs. Port relationships and IP vs. Vulnerability ID relationships. A video of how the tool is used is available here. The video includes a display of a network with more than 400 routers and 10,000 nodes.
The SecViz web site also has very good discussions and example images of security data visualization.