GrrCON: Visualizing data to make sense of security


GrrCON logoRecently, I attended the GrrCON (pronounced just like it’s spelled) security conference in Grand Rapids, Michigan.

Talk subjects ranged from the security of smart power meters, to social engineering tricks and defenses against them, to making blinkie lights respond to changing network conditions. Despite the wide variety of subjects, I managed to find a common thread shared by some of them.

What it comes down to is that managing security is difficult, and we need better tools to do it. Wolfgang Goerlich, in his talk about business continuity planning, mentioned that he once compiled all the new information regarding security that came out in a single day and timed how long it took him to read that one day’s worth.

It took five days, during which time five times more stuff appeared! Sites like Naked Security try to distill this information into more manageable and prioritized chunks, but that’s only part of the solution.

Maybe what we need is a visual representation of the network traffic so it’s easier to conceptualize. One of the sponsors (and I apologize for not remembering who it was) had a product that showed multicolored area graphs representing the network traversing your firewall to help with this problem.

The most entertaining presentation I saw related to this was “Blinkie Lights! Network Monitoring with Arduino” presented by Steve Ocepek.

Steve's drawing of a modemSteve remembers the days when you could look at the analog modem next to your computer, see what the blinking lights were doing, and know something about your Internet connection.

Today’s network adapters have a few indicator lights on them, but they’re fairly useless, not just because they’re mounted on the back of the computer where you can’t see them.

To remedy this problem, Steve hooked up an 8×8 array of LEDs to a USB-mounted Arduino and controlled it with some Perl code.

Arduino logoIn one mode, the device lit an LED for each active network connection and colored it by Geo IP country code.

That might not be spectacularly useful for security, but it served as an example of how a person can absorb information much more quickly through color and position than a person can through text. He learned, for example, that a particular pattern of blue lights meant that his coworker in the UK was calling him on Skype.

In another mode, he colorized the data based on the type of connection: email port numbers were one color, file sharing was another, etc. Sorted into columns, that display showed at a glance what the machine was doing.

Where that information intersected with intrusion detection was that a port scan on the monitored machine maxed out the “other” color and column, which was very easy to see.

More importantly, anyone watching the light display over the course of a week or so would get used to a particular pattern and have a good feel for what is normal network activity.

Even a nontechnical user could do this, and abnormal network activity could be noticed immediately (when the light display did something unusual) rather than days later when the administrator gets around to looking at the firewall log.

Now, nobody is suggesting that we need to run out and equip all of our workstations with Arduinos and light arrays. This was a hobby project and a proof of concept more than anything else, but the theory is valid.

There are probably other ways to organize the data for display on an LED array, and some of them could be even more useful than either of the demonstration modes.

Maybe someone will use the computer’s main display to do the same thing without conflicting with real work. The point is that there might be better ways to monitor and understand network information than what we’re currently doing, and projects like this are an important step in finding them.