Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Graphical Data Visualizations with Tenable Products

There are many ways to visualize raw data in graphical form. This blog entry will consider network topology visualization, trust relationship graphing and security event analysis. We will use a combination of Tenable products to procure the event and vulnerability data, the Tenable 3D Tool and AfterGlow.

Network Topology

For viewing how network components are connected, Tenable's 3D Tool can use the traceroute data collected by one or more Nessus scanners. The 3D Tool connects to the Security Center where all topology data is stored.

For large enterprise networks, attempting to place all of the nodes on a single 2D graph can be very complicated. By representing the same data in 3D, analysis of how networks are connected can be more easily understood. Below is a screen shot of such a topology as viewed in the 3D Tool.


All nodes are connected to a router, and all routers are placed on a helix. This type of view lets users see which routers have more hosts on them. It also lets users see how the routers are connected to each other.

Previously, Tenable's Lightning Console used a 2D display to show the topology as shown below:


This "hub and spoke" view is still useful, but had limitations in the number of nodes that can be displayed at one time. Viewing this data in 3D is more efficient than working with a 2D model.

Afterglow - Trust Relationships with Passive Vulnerability Scanner

The Passive Vulnerability Scanner (PVS) can detect when a certain host connects to another host at least once. For example, consider this report from a PVS:|unknown (22/tcp)|3|Security Note| ->|unknown (37/tcp)|3|Security Note| ->

The first line says that host connects to on port 22. The second line says that the same host connects to on port 37 (time). The IP represents a destination "outside" of the PVS's immediate network, i.e., someplace on the Internet.

These logs are "permanent" in that if the PVS sees a connection, it adds this to the database.  For  a realtime understanding of what the PVS can generate, read this blog entry which details the type of alerts that can be generated on the fly.

Using the the Security Center's ability to save queries as a .csv spread sheet file,  it is possible to create an AfterGlow image of these trust relationships. Below is a screen shot of small number of hosts which "connect" to each other:


The nodes that have more "destinations" (such as in the lower right) are used by many remote clients. For this rendering, the center location is a "null" node that connects disparate nodes to a central place. If a more complete PVS data set were uses, the node would have been a common destination for everyone, as this represents an Internet destination.

Knowing where your clients go on the internal network can help identify critical internal systems and systems that have sensitive data.

AfterGlow - ICMP Flood

Sometimes 2D visualization doesn't shed light or offer insight to what is going on. Consider this example. An ICMP flood is observed on a large enterprise network with the Log Correlation Engine (LCE):


Using the Security Center to extract a very large sample of records in the "spike" of ICMP traffic, AfterGlow generates the following type of display:


There are so many nodes on the graph that it is virtually unreadable. This is not any fault of AfterGlow or the underlying Graphviz rendering engine. It's just that attempting to display more than 10,000 unique IP addresses on a bitmap becomes very crowded. If you look closely, you can see IP addresses in there. The black IPs are the "internet" and the yellow IPs was our network. Basically, there are a lot of IP addresses sending ICMP traffic to a lot of our network.

Also, in this case, we used the wrong tool to try and understand what is going on. Consider a simple list of "Top IP Addresses" for the same ICMP flood data (with our network IP addresses obscured):


Most of the ICMP traffic came from one host. What we ended up graphing out in AfterGlow was all of the background ICMP traffic along with the actual ICMP flood. The point of this example is to always keep in mind what you are graphing.

AfterGlow - Port Scan Example

For the last example, we'd like to see if we can correlated pairs of "sources" and "destinations" for port scans. The PVS can detect when an internal system begins port scanning. We could have used Snort, Tipping Point, or any other sort of log data. With the Log Correlation Engine, five days of port scan events graph out this way on a large demo network:


It would be interesting to use the Security Center and ask it to summarize the top IP addresses involved in this traffic. However, this would not show the real distribution of a host that may have scanned 50 unique targets once as compared to a host scanning a single host 50 times. Visualizing this data with AfterGlow generates the following image:


The external "Yellow" hosts are actually from our test network. All of the nodes in the center are target nodes for the port scans. What this graph shows is hosts that have a large number of unique targets. In the lower left of this display, several nodes have scanned several dozen unique targets whereas, there are many other port scan sources that only targeted one host.

Working With AfterGlow

To create the above displays, data was downloaded from the Security Center as comma separated variables. It was then sanitized (i.e. replacing certain live IP addresses with something else). Lastly, the data was modified from the .csv format to something that AfterGlow can consume. The following PERL script can be used to convert a .csv file from the Security Center that listed IDS or Log events:

$line = <FH>;
while (<FH>)
        $line = $_;
        #$line =~ s/xxx/yyy/g;
        $line =~ s/\"//g;
        @stuff = split(",",$line);
        print WH ("$stuff[2],$stuff[3]\n");
close(FH); close(WH);

It takes a file named source.csv and creates afterglow.csv. The new file will simply have the source IP and the destination IP on the same line separated by a comma. On the commented out line, the 'xxx' and 'yyy' could be replaced with various octets to obscure your IP network ranges. For example, if you wanted to replace all IP addresses that started with 10.10 to be  20.20, you would use a statement like:

$line =~ s/^10\.10\./20.20/g;

Please refer to the AfterGlow web site for more information on how to create these sorts of graphs.

For more info

The Tenable 3D Tool is available for the Security Center and can visualization topologies, IP vs. Port relationships and IP vs. Vulnerability ID relationships. A video of how the tool is used is available here. The video includes a display of a network with more than 400 routers and 10,000 nodes.

The SecViz web site also has very good discussions and example images of security data visualization.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.