Using KeyLines 3.0 to visualize your cyber data at scale Cyber security analysts face data overload. They work with information on a massive scale, generated at millisecond levels of resolution detailing increasingly complex attacks. To make sense of this data, analysts need an intuitive and engaging way to explore it: that’s where graph visualization plays a role. During this session, Corey will show examples of how graph visualization can help users explore, understand and derive insight from real-world cyber security datasets. You will learn: • How graph visualization can help you extract insight from cyber data • How to visualize your cyber security graph data at scale using WebGL • Why KeyLines 3.0 is the go-to tool for large-scale cyber graph visualization. This session is suitable for a non-technical audience.

1. Supercharged graph visualization
for cyber security
5th May 2016
Corey Lanum / Ed Wood
09:00 am PDT
12:00 noon EDT
17:00 BST
18:00 CEST

2. Supercharged graph visualization
for cyber security
5th May 2016
Corey Lanum / Ed Wood

3. Agenda
● Introductions
● Some Challenges of Cyber Data
● Live Demos
● Hints and Tips
● Your Questions
Webinar will be recorded.
Video will be shared tomorrow.
Please submit questions via Citrix panel!

4. Cambridge Intelligence
• Founded in 2011
• Cambridge UK & Boston US
• We help organizations to
understand connected
data:
– Award-winning products
– Developer services
– Expert know-how

5. • Cross-browser compatibility
• Works on any device
• A fast developer experience
• Rapid deployment
• Easy maintenance
• Full customization
• Powerful functionality
Introducing KeyLines
KeyLines is a powerful SDK for building network
visualization web applications:

6. ‘Graph’ data
Enron email traffic
Nodes are people
Links (or ‘Edges’) are
emails exchanged
Scale and colour Node
using Social Network
algorithms
Betweenness = number
of shortest paths Nodes
are on ; indicates
seniority
Links scaled proportional
to volume of email

7. Cyber Security Data
“Cybersecurity is the body of technologies, processes and
practices designed to protect networks, computers, programs
and data from attack, damage or unauthorized access.”
Cyber Security data structures often fit very well with Graph
entities and visualisations….
E.g. NODES
● Machines
● People
● Data Centres
● Malware Families
● Applications
● Credentials
E.g. LINKS
● Attack Vectors
● Data Packets
● Emails
● Credentials
● Vulnerabilities
● Exfiltrated Data
A visual and interactive representation can efficiently uncover
patterns, trends and anomalies in complex data-sets

8. Size / Volume
• Huge number of security events generated by SIEM and other
systems...
Challenges of Cyber Data (I)
Generated at millisecond levels of resolution;
Typically stored in disparate silos that can be
unwieldy to manage.
Challenge is to detect unusual behavior inside
terabytes of event and attribute data,
including:
● IP logs – detecting indications of infected machines
or botnet zombies
● Network logs – uncover applications or users that
hog bandwidth so they can optimize systems and
prioritize business critical applications.
● Communications logs – for performing analysis to
uncover sabotage, espionage or other unwanted
activities.
● Web server logs – managing and prevent external
threats, such as DDoS attacks.

9. Complexity
• Combination of machine and human
actors
• Subtle interactions of the When and
the Where
Noise
• Significant events and patterns can
be hidden in a sea of data
• Attackers will attempt to hide their
behaviour !
Challenges of Cyber Data (II)

10. ● How to visualize cyber security data:
○ Performance demo
○ Malware demo
○ Data Breach demo
○ Combinations/Grouping demo
○ Geo/TimeBar demo
Demos

11. KeyLines 3.0!
• Supercharge your charts with (Alpha)
○ Rendering speed up to 10x faster
○ Supported by ‘Big 4’ Browser brands
and most devices
○ Improves fluidity & responsiveness
with larger datasets
• Three new cyber-security demos
○ Inspire creative use of KeyLines
• New Angular directive
○ Performance and compatibility

12. Your Questions (I)
“Can KeyLines work with real-time data? If so, what visual
model / techniques would you recommend?”
• Yes, it does.
• The Time Bar and Tweak Layouts are designed for this.
• Try to limit the volume of data being communicated at any one
time. Techniques like combos or ghosting can help.
“What is the maximum number of nodes/links you can
handle?”
● HTML5 Canvas - a few thousand.
● WebGL - many tens of thousands.
● Using show/hide, around 1 million. BUT this is rarely useful.

13. “How easy it is to change the shape, design and layout
of nodes and edges?”
• Very easy.
• Shapes, image nodes, font icons and other designs possible.
• 6 extensible & customizable automated layouts available.
“Does WebGL handle rendering thousands of nodes and
edges well on machine with say Intel HD 3000?”
• WebGL harnesses machine’s GPU and performance will vary
• For reference, demos today were using Mac Book Air on Intel
HD 5000.
Your Questions (II)

14. Your Questions
+ Live Questions…!

15. ● Cyber Security data is big, complex and noisy.
● A good cyber security visualization needs:
➔ A well thought-out visual model and defined question
➔ Functionality to overcome complexity and noise
◆ Good layouts, filtering, combos, time bar, geospatial
➔ Power to work with data at scale
● Graph visualization is the ideal tool.
We’d love to help!
Summary

16. Thanks for joining us!
@CambridgeIntel Cambridge-Intelligence.com
info@cambridge-intelligence.com