Raffael Marty is the founder of PixlCloud and a co-founder of Loggly. His research interests span anything related to IT data visualization. He has held various positions in the log management space at companies like Splunk, ArcSight, and IBM research where he also earned his masters in computer science. His book, Applied Security Visualization, and the SecViz portal are the primary resources for information related to security visualization. The Data Analysis and Visualization Linux (DAVIX), as well as AfterGlow are two of his past projects that have helped form the security visualization space.
Books
Applied Security Visualization
This book is about visualizing computer security data. The book guides, Step-by step, through visually analyzing electronically generated security data. Insider Threat, Governance, Risk, and Compliance (GRC), and Perimeter Threat all require people to gather and analyze their IT data. Log files, configuration files, and other IT security data needs to be analyzed and monitored to address a variety of use-cases. Instead of handling textual data, visualization is offering a new, more effective, and simpler approach to analyze millions of log entries generated on a daily basis. Graphical representations help immediately identify outliers, detect malicious activity, uncover mis-configurations and anomalies, or spot general trends and relationships among individual data points. Visualization of data - the process of converting security data into a picture - is the single most effective tool to address these tasks.
Security Data Visualization
I wrote a chapter on firewall log analysis and IDS signature tuning using visual methods for Greg's book.
Snort IDS and IPS Toolkit
I wrote a chapter on security data analysis and reporting for the Snort book from Syngress.
Log Analysis and Security Visualization Workshops
Some of the things that people say about the presentations and workshops:
"Materials are generated from real-world experiences hence all things learnt are really practical and useful."
"The class was pretty intensive (with loads of stuff - theory and practical)."
"Certainly, it changed my perception on doing log analysis traditionally and paved new ways to work on log analysis."
"Cool stuff!"
"Very informative in understanding core concepts with SecVisualization."
"Probably the most useful speaker of the day. He provided very good information on how to visualize data. I would like to see him come back in a workshop type format where we could bring the logs that our applications actually create and he could help us filter them and put it in a useful format.
"This was one of the more interesting talks."
As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today's state-of- the-art data visualization techniques, you can gain a far deeper understanding of what's happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods. The attendees will learn about log analysis, get an overview of visualization, data sources for IT security, and learn how to generate visual representations of IT data. The training is filled with hands-on exercises utilizing the DAVIX live CD.
List of past workshops:
- Advanced Splunk and Visualization Training, Singapore, January 2010
- "Data Analysis And Visualization" Workshop, HoneyNet Alliance, Kuala Lumpur, Malaysia, February 2009.
- "Security Visualization Research" Workshop, Colloquium for Information Systems Security Education (CISSE), Seattle, June 2009.
- "Applied Security Visualization" Workshop, IS Summit 2008, Hong Kong, November 2008.
- "DAVIX Workshop on Visualization", DefCon, Las Vegas, August, 2008.
- Applied Security Visualization" Workshop, First Conference 2008, Vancouver, June 2008.
Past Presentations
- Applied Security Visualization Workshop, AusCERT, Gold Coast, Australia, May 2010
- Log Analysis and Visualization Workshop, HoneyNet Alliance, Mexico City, April 2010
- University of Advancing Technology, Tech Forum, November 2009.
- Webinar: "SIEM 2.0: Integrating Five Key Requirements Missing in 1st Gen Solutions", IANS Security, October 2009.
- KeyNote at ChicagoCon, Chicago, May 8-9 2009.
- "IT Data Analysis and Visualization", Peer-to-peer session at RSA, San Francisco, April 2009.
- "IT Data Search Engine - Splunk", IANS Security event, Washington D.C., March 2009.
- "SecViz 007", BCS 2008, Jakarta, November 2008.
- "SecViz 007", IS Summit 2008, Hong Kong, November 2008.
- "IT Data Visualization", SUMIT 08, University of Michigan, October 2008 (audio).
- "IT GRC Visualization", Triangle InfoSeCon, Raleigh, North Carolina, October 2008.
- "SecViz 007", BA-Con Argentina, Buenos Aires, September 2008.
- Panel discussion at VizSec, Boston, September 2008.
- DAVIX presentation at VizSec, Boston, September 2008.
- "Visualization Research 2.0", FIT-IT, Graz, Austria, September 2008.
- "Recent Trends in Security Visualization", RSA Conference, San Francisco, April 2008.
- "All the Data That's Fit To Visualize", SOURCE Boston, March 2008 (video).
- "Applied Security Visualization", MIT Lincoln Labs, Boston, December 2007.
- "Insider Crime Visualization", BCS '07, Jakarta, Indonesia, November 2007.
- "Computer Crime - A Data Centric View", CSI Computer Crime and Security Survey 2007 event, San Francisco, October 2007.
- "Insider Crime Visualization", Hack In The Box, Kualalumpur, Malaysia, 2007.
- "Insider Threat Visualization - The Visual Conviction", First 2007, Seville, Spain, 2007.
- "Visualization of Security Data", Bellua BCS, Jakarta, Indonesia, 2006.
- "Visual Log Analysis - The Beauty of Graphs", DefCon, Las Vegas, 2006 (video).
- "Visual Event Analysis with ArcSight", ArcSight User Conference 2006.
- "A Visual Approach to Security Event Analysis",EuSecWest, London, 2006.
- "Visual Security Event Analysis", RSA Conference, San Jose, 2006.
- "What defineds IDS? Does IDS really help?", RAID Conference, Seattle, 2005.
- "A Visual Approach to Enterprise Security Management", Government Technology Conference (GTC) East, Albany, NY 2005.
- "Visual Security Event Analysis", DefCon, Las Vegas 2005 (video).
- Common event format standard, Global Security Consortium workshop, Washington D.C., 2005.
- "Visual Security Event Analysis with ArcSight", ArcSight User Conference 2005.
- GCIA paper (Visualization of TCPdump data), 2005.
- Security Information Management, Security Colloquium, IBM Research, 2004.
- Intrusion Management, the Zurich Information Security Center, Federal Institute of Technology, Switzerland, April 2003.
- "Design of an Intrusion-Tolerant Intrusion Detection System", Information Society Fifth Framework Programme, 2003.
- "Thor: A Tool to Test Intrusion Detection Systems by Variations of Attacks", 2002.
- "Optimization of Mix Components in an Anonymity Network" , 2001.
Press
- May 2009, Applied Security Visualization Ethical Hacker Network, JP Bourget.
- February 2009, Getting Started With Visualization ITWorld
- January 2009, Security book chapter: Applied Security Visualization TechTarget
- October 2008, Interview with Stephen Ibaraki
- October 2008, Interview recording with Stephen Ibaraki (Audio)
- October 2008, "Tough economic climate can heighten insider threat" Article by Jaikumar Nijayan, ComputerWorld
- August 2008, Security visualization helps make log files work, Article by Robert Westervelt
- August 2008, Security Wire Weekly: Security Visualization, Interview with Robert Westervelt from TechTarget (audio).
- August 2008, "Networking data visualization not just for pointy-headed bosses", Interview with Michael Morisy.
- August 2008, Book Extract: Networking data visualisation explained
- August 2008, Network Security Podcast, Interview with Martin McKeay at DefCon 2008. (Audio)
- July 31 2008, Mentioned in Implementing a Web Application Firewall with ModSecurity
- July 30 2008, San Francisco Belediyesi Hack Vakası: Denetim Neredeydi?, turk.internet.com, Andy Patrizio.
- July 23 2008, San Francisco Hack: Where Was the Oversight?, InternetNews.com, Andy Patrizio.
- June 30, 2008 Blended Attacks using Social Engineering Podcast, ITProPortal.com, I am interviewing Peter Wood.
- June 6 2008, Converging IDS, IPS and the Rest of Security
- June 2008, Security Visualization: What You Don't See Can Hurt You
- April 9 2008, RSA 2008 Raffy Marty describes Splunk's search technology for IT infrastructures (podcast)
- March 17, 2008, Marketwire: RedSeal Systems to Present at RSA 2008.
- January 16, 2008, InformIT Bridging Security and Visualization (video).
- January 9, 2008, InformIT Applied Security Visualization (video) discussion of the upcoming book.
- Septemer 22, 2007, Michael Rash Linux Firewalls Book endorsement.
- August 3, 2007, Ben Chai Bar Talk on Visualization (audio).
- June 22, 2007, Cubing Security Event Logs to make Realtime Analysis Possible.
- June 21, 2007, Managing Security Log Files
- May 23, 2007, Ben Chai FIRST Interview with Raffael Marty from Arcsight (audio).
- April 2005, China's Zombie PCs
- April 2005, Businesses Snub Windows Fix
- March 2005, Microsoft's security card
- October 2001,Article in the St. Galler Tagblatt of October 31st 2001.
Papers
- DAVIX gegen Goliath, Jan P. Monsch/Raffael Marty/Christoph Puppe, iX special Herbst 2008 Sicher im Netz
- Security Visualization - Learning From The New York Times, a video produced for Source Boston 2008.
- My GCIA paper. This paper shows how I analyzed a dataset given by SANS. I used graphing techinques, GraphViz and other tools, to automatically generate visual images of the dataset. I was a bit too enthousiastic and wrote way too much. The additional chapters are therefore published here.
- I was one of the co-authors of Design of an Intrusion-Tolerant Intrusion Detection System, a long-term research project funded by the European Union under the Information Society Fifth Framework Programme.
- Thor: A Tool to Test Intrusion Detection Systems by Variations of Attacks.
- My second term project I was working on was to improve an anonymity network by adding so called mixes. Read more on the Mixer page.
- My first term project I wrote at the Institute of Robotics at the ETH. My task was to develop a device driver for a PCMCIA Adapter and on top of that I had to implement the FAT-Filesystem in order to access ATA-compatible drives. Check out the special page to find out more.
- During a seminar that I attended while studying computer science, I worked together with Robert Hass on the topic: "IP over Everything". It's about the network layers IP works on, with a strong emphasis on the core-network technologies. Further we present a couple of services which use IP and what functionalities these services will demand from IP. In the services chapter I wrote a paragraph about security in the near future and what criterias the IP protocol will have to fullfill. Further there is another interesting chapter about VPNs. The presentation is available online as well.
Memberships
- IANS Faculty of Security Experts, 2009
- HoneyNet Alliance, 2008, Bay Area Chapter
- DHS CATCH, Cybersecurity Applications and Technologies Conference for Homeland Security 2008, Program Committee
- Workshop on the Analysis of System Logs (WASL), 2009, Program Committee
- Workshop on the Analysis of System Logs (WASL), 2008, Program Committee
- SOURCE Boston and Barcelona, 2009, Conference Advisory Board
- SOURCE Boston, 2008, Conference Advisory Board
- VizSec 2009, Program Committee
- VizSec 2008, Program Committee
- VizSec 2007 Program Committee
- RAID 2008 Program Committee
- RAID 2007 Program Committee
- RAID 2006 Program Committee
- Capture the Flag @DefCon 2005
- OVAL (Open Vulnerability and Assessment Language), Advisory Board
- CVSS (Common Vulnerability Scoring Schema), Standard Working Group
- CEE (Common Event Expression), Founding Member
- PCI Knowledge Base: Panel of Experts
- ISSA member
- Syndicating my blog to: ITProPortal
- Syndicating my blog to: Security Bloggers Network
- Syndicating my blog to: Security News Portal
- Security Data Visualization Portal
- AfterGlow - Visualization Tool
- Thor - Intrusion Detection Testing and Correlation Tool
- DAVIX - Data Analysis and Visualization Linux
- Predict, a project for open log sharing, sponsored by the DHS
- NIST 800-41, contributed to the Guidelines on Firewalls, and Firewall Policy.
- NIST 800-92, contributed to the Guide to Computer Security Log Management
- Security Data Visualization
- Log Management
- Intrusion Detection
- Insider Threat
- Governance Risk and Compliance
- HoneyNets
- UNIX security
- Product Management
- Certified Product Manager, Pragmatic Marketing, October 2006.
- SANS GIAC Certified Intrusion Analyst (GCIA), February 2005.
- IBM IT Security Methodology Certification, March 2003.
- Certified Information System Security Professional (CISSP), November 2002.
- Masters in Computer Science from Federal Institute of Technology (ETH) in Zurich, Switzerland
- Teaching assistant for Network Security 2001 at ETH Zurich.
KeyID: 0x4E0F59A9
3000 D9E8 4442 211D 1523 6C96 6818 90EA
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.2 for non-commercial use
mQENAziQ0UMAAAEIAJd+CJUBgU/OmOmT9P9jWAQyRQ5XtwJF8t5L+rYoJm6mlyGl
29gFSq9pj5fzWXUiMbRnFtI2w47EO3UBa8+X0Xc+FxfeZNVpD5R5Cxt7h9BFOFd+
ej7DdoXd2pFrgc/K5OxBiUrFU14EZePRnyooavC0CZqRynGajtV3noUewDGrmnhF
dR8pamh6srrJ4WburYAKe0aV/P/jT4d0+VfFjgpGFRE2BiKKni3CxVxofpMK//gy
WDD8qfJ8Zi/ncGn1U0e4WeQ7wkjQjAQfQm60RUbZt2kkYuB2t5vwWFn3INiXW+Do
8zArUilLF/7bD0dX61Q4kKP9Ciwifyuevk4PWakABRG0HlJhZmZhZWwgTWFydHkg
PGFkbWluQHJhZmZ5LmNoPokBFQMFEDiQ0UN/K56+Tg9ZqQEB0uMH/jCZ4NOSi0eF
d+0Z/OkGuM9Y5J6kD5SvAIl6dkyJBvaUDWm6y3xh/j71LGwwZebJB5q2yhUPUFXm
v+EnO22+OAmFgJbd6YUGZn9hJWMD+KG4ms10S5joxPjpYqgQL5ATdhvDXbWrcGf/
C4x8GgJW8fQCMcSITGt6y6wDD77kroxCS0asioboBfUoU5AF98QCdS5wPo3GZz6Q
7nZEoPo4M0Cfxx7wvKTjHOvrXe7qtBkVZV3fKC3u4bKRUaXQ3APBYhAvCzU6ZzLO
HOhY450NWpOKLKArcRqx5Hkv3PZQj60MMmMLvvxzmgTXnUt+1vaQ+pYLFfgJTqJl
2bSv6v5/bQiJARUDBRA4kNGSChXrei1SV9sBAWdYCACuUR5InXwK2VkhPD3wxHH/
+EE/GVD8r4A2zLZpYjqIeXfST/Ve4mXTnwriFx5Sq8Yqwtq1UoGN6Vk3MYwo6+Eo
0Pi6vgmQO2FY9vmqYS0ZmbJvxC8LNO+lK0PqrzzPkun/BBTMqUkp+ClOwzQMXNkl
FOlKOjC8VDidz9aNvjTnb2p6YzWedM2UMKGX0mOnv+PmqD9MpKGixQHVmVwROBQ1
gwj4F4NiIZz4mb4OltJKiwPw2AZsnrK8Y5+x5GKmLk/JYh7FoJsW4VfZK+sj/gUH
85kiHwPh+OhRYC9JsimSihn35VdiSEFFyNtjikMYLKdq8RA9sk8CIGoIoxQXfRC9
=3xQU
-----END PGP PUBLIC KEY BLOCK-----
