Ingalls Network Security Information Technology Environment (insite)

Ingalls Network Security Information

Technology Environment (iNSITE)

A

V

IRTUAL

R

EALITY

D

ATA

V

ISUALIZATION

S

YSTEM

FOR

C

YBER

S

ECURITY

A

NALYSIS

P

:

T

,

Today’s Cyber Security tools give analysts access to massive amounts of data. The challenge is how to make sense of it. The current generation of tool interfaces provide analysts with the same kind of interface used since Lotus 123™ was launched in the 1980’s: the Spreadsheet. Analysts are swimming in a thin gruel of information about cyber security events.

Spreadsheets are still useful: they are wonderful

for sorting data into neat rows and columns, for performing simple math on various parts of the data set and presenting the results in-line with the original data, and for developing 2-D charts. However, spreadsheets take up a lot of space for the amount of data that they provide. That space is precious when the only display available is an eight-by-twelve inch screen, positioned three feet from an analyst’s eyes. Spreadsheets don’t allow analysts to quickly understand the context around the data, and analysts must rely on their experience and situational awareness in order to make sense of what looks like random numbers and text to an untrained eye.

S

:

As it turns out, attacking or defending networks in cyberspace is a lot like an aerial dogfight. Visibility, speed and agility are critical success factors in preventing an adversary from achieving objectives. Spreadsheets simply aren’t up to the task. Cyber Security analysts need a way to see as much data as possible, quickly and with context. This is why we invented iNSITE: to give analysts the ability to see the network they are defending in real- or near-real-time, and with as many data layers as are available.

Using iNSITE, analysts don’t just view data in a spreadsheet, they are transported within data structures visualized in Virtual Reality. This level of visibility and immersion provides an immediate advantage over legacy, spreadsheet-based data presentation methods. Figure 2 demonstrates how iNSITE provides orders of magnitude more visibility, situational awareness, and capability to defend a computer network of any size or complexity, by allowing analysts to fly through a rich, densely populated stew of cyber security data.

Figure 1: A spreadsheet with metadata

Figure 2: iNSITE visualization with spreadsheet overlay

CREATING A WORLD WITH METADATA

:

Metadata (or “data about data”) provides a great backdrop to paint an environment with. When a user connects to an Internet host from inside a corporate network, the devices that handle the request are able to generate a log of the activity. This log, commonly called NetFlow (due to Cisco’s early development of such capability), allows us to create a visualization of every computer host that had a communication event within a given timeframe. This data, once visualized, provides the basic construct and context about the network environment that analysts are responsible for defending. By simply moving around in it, analysts

gain situational awareness that cannot be realized in other data presentation systems. Additionally, the immersion that Virtual Reality provides allows analysts to quickly identify important data structures that need further analysis, because the data is all around them.

iNSITE can work with any form of metadata, and the base visualization schema can contain discrete data fields that can be defined for additional visualization detail. This is very important for privacy considerations, since data can be sanitized and used to visualize the environment, and discrete information can further refine the visualization.

ENRICHING THE VISUALIZATION

:

Once the network environment has been visualized, it becomes useful to provide additional context through the use of multiple layers of discrete data. These layers can come from multiple sources, for example from Network Intrusion Detection Systems (NIDS), Host-based agents (HIDS), or any other data source that provides specific information about an event. The most common use of iNSITE data overlay is to present a targeting icon over hosts that have generated IDS alerts. These icons pulse and draw the analyst’s eye, and by interacting with the host in Virtual Reality, the analyst is able to view all hosts that communicated with the suspect host (due to metadata), as well as all data about the event that triggered the alarm. The visibility and situational awareness this provides is useful in evaluating IDS alerts for further action. iNSITE is designed to allow API calls to network devices such as firewalls and routers, so that analysts can immediately take action to block unwanted activity at the perimeter, and host-based tool support is being contemplated.

Figure 3: iNSITE's visualization of metadata and discrete data layers

Figure 4: Data layer presentation and controls

GAME CHANGER

:

FLIPPING THE ADVANTAGE IN CYBERSPACE

The current state of cyber defense is poor; attackers strike without warning, defenders are unable to determine that their environment has been hacked until months and years later, and data theft, destruction, and other more serious impacts are a daily occurrence. What is needed is a new paradigm for defending cyberspace: iNSITE.

With iNSITE, defenders will be able to cover more network area per analyst, see more in less time, and develop and execute defensive maneuvers with speed and agility. We believe that by providing the immersion and context that

iNSITE delivers, the advantage will be taken by defenders, who can see important data and ignore the massive amount of useless chaff that creates a nearly impossible visibility problem today. iNSITE will allow teams of cyber defenders to coordinate activity in Virtual Reality, so that rapid detection and response is the new paradigm of cyber security.

AVAILABLE SUMMER

,

2016

iNSITE is currently in development, and is expected to be released shortly after the reference hardware, Oculus Rift, becomes available for retail purchase. This is expected to occur before the third quarter of 2016, and iNSITE is being tested, baselined, and evaluated for operational effectiveness by the Incident Response team at Ingalls Information Security. We believe that we will achieve a greater than 10-to-1 increase in productivity, detection, and overall network defense capability when using iNSITE to perform cyber security analysis and investigation of network environments, when compared to the legacy, spreadsheet-based interfaces of today. If you or your organization would like more information about iNSITE or any of our other offerings, please contact us using your preferred method and the contact information on the next page.

Figure 5: The BBC's James Cook experiences iNSITE: http://www.bbc.com/news/world-us-canada-34121413

A

BOUT

I

NGALLS

I

NFORMATION

S

ECURITY

,

LLC.

Ingalls Information Security is a Louisiana-based cyber security company with the following missions:

• Prevent and respond to data security breaches • Protect the Internet

• Bring Cyber Security industry jobs to Louisiana

We have responded to the largest data security breaches in history, and provide consulting services to state and federal government, non-profit organizations, and commercial clients in the energy, finance, defense, and high-technology industries. We also work with organizations to make the Internet a safer, more useful, and more secure tool for good, and we actively work to improve education and job opportunities in Louisiana. When we identify better ways to accomplish these missions, that do not exist yet, we build them.

The Cyber Innovation Center in Bossier City, Louisiana. www.cyberinnovationcenter.org

O

FFICES

We have field offices in Los Angeles, California and San Antonio, Texas, and our base of operations is in Louisiana.

E

6300 East Texas Street, Suite 240, Bossier City, Louisiana 71111

A

5615F Jackson Street Extension, Suite C, Alexandria LA 71303

(318) 321-1955 (voice) (318) 290-2823 (fax)