Using Data In-Sight

The Data In-Sight visualization enables the user to profoundly examine a sequence of events that are captured by the Guardium system. It provides a comprehensive picture of activity in a specific time window, and helps to detect unusual behaviors.

About this task

Data in-sight introduces a revolutionary paradigm that uses human visual capabilities to gain an overall view on data transactions and identify unexpected behaviors. Guardium already provides robust machine learning and data-analysis features to assist audits and detect attacks. Algorithms, data analysis, and charts are designed based on accumulated experience and knowledge. Data in-sight uses the flexibility of human vision perception to spot associations and movements in the raw data that does not fit a pattern of known attacks that would otherwise be unnoticed. The tool presents various aspects of the data in a complex visual scenario, and provides the observer with tools to directly explore large amounts of complex data.

Data in-sight converts audited data to a 3-D chronological visualization of data flow, from sources to destinations, showing data transactions unfold exactly as they occurred.

The visualization space contains two planes, each represents entities of the audit domain of a specific type. Every entry in the audit data is represented as a moving ‘flash line’ from an object of the upper plane (for example, client IPs) to an object of the lower plane (for example, databases). The flash line between the source and the destination leaves a trail (a dotted line) indicating the presence of interaction between the specific source and destination, which gradually fades into the background. The trails form an overview of the interaction between sources and destinations in the selected time period. The size of each source and destination is relative to their level of activity. The sources are located near their destinations, and near other similar sources. The display can be modified in various ways, giving additional information or aspects on the data. You can view data in-sight with vr headsets.

Data in-sight is an answer to this constantly changing paradigm. It adds the flexibility of human visual perception to spot associations and movements in the raw data, irrespective of known attack types, that would otherwise be unnoticed.

Data in-sight converts audited data to a 3-D chronological visualization of data sources and destinations, showing data transactions unfold exactly as they occurred. The visualization space contains two planes, each represents entities of the audit domain of a one type. Each entry in the audit data is represented as a moving ‘flash line’ from an object of the upper plane (client IP, OS user, DB user, or source program) to an object of the lower plane (database, object, or server). The flash line between the source and the destination leaves a trail (a dotted line) indicating the presence of interaction between the specific source and destination, which gradually fades into the background. The flash line has the same color as the destination database. The trails form an overview of the interaction between sources and destinations in the selected time period. The sources are located near their destinations, and near other similar sources. The size of the destination entity is proportional to the volume of transactions relative to the other destination entities. There a many ways of modifying the display, including: color-code the top entity (color changes as data source details change), filter from the data in-sight chart, and the investigation dashboard facets. You can also view data in-sight with vr headsets.

Procedure

  1. In the Investigation Dashboard window, click Add Chart > Data in-Sight chart. The Chart Settings window opens.
  2. In the Chart Settings pane, modify the object types that are represented in both planes, the type of data flow between them. You can optionally color-sort the entities in the top plane by a secondary criteria, providing another level of analysis. For example, if the objects of the top plane represent client IPs and you select color-sorting for source program, you can see the usage of different source programs by a specific IP client, and the usage of a common source program by different client IPs. An object whose color changes repeatedly indicates a frequent change of source program usage in a single client IP. Click Apply.
    Table 1. Data In-Sight Chart Settings
    Field Description and Values
    Data flow domain The type of data flow displayed. One of: Activities, Errors, Violations, Outliers.
    Top plane entities The entity that is represented in the top plane. One of: Client IP, DB User, OS User, Source Program.
    Bottom plane entities The entity that is represented in the bottom plane. One of: Database, Object, Server.
    Color sort top entities by Extra (optional) color classification of top entities by: None, Client IP, DB User, OS User, Source Program.
    Show top plane label yes, no
    Show bottom plane label yes, no
    Max. entities in top plane Maximum number of entities that are shown in the top plane.
    Max. entities in bottom plane Maximum number of entities that are shown in the bottom plane.
    Top entities color Opens color palette to select color for top plane entities. Disabled if top entities are color sorted.
    Background color Opens a color palette to select color for background.
    Planes color Opens a color palette to select color for planes (one color for both planes).
  3. Modify the display by:
    • Click the magnifier icon to enter full screen mode for more details
    • Rotate the view by holding down the left mouse button and dragging
    • Pan by holding down the right mouse button and dragging
    • Zoom in and out with the mouse wheel
  4. View entities by:
    • Hover over an entity to show its details in the legend
    • Click an entity to show only its data flows (other entities fade out). Click the background to exit.
    • Double-click an entity to use it as the active filter (over the entire dashboard)
  5. The information pane, which is located in the upper right corner, shows the time stamp of the current displayed actions, the number of actions shown so far, and an indication of the rate of events per second. You can modify the display by:
    pause Pause/restart data flow
    refresh Restart data flow from beginning of time period
    increase speed Increase speed of data flow
    decrease speed Decrease speed of data flow
    view from top View from top (bird’s eye)
    view from side View from side (default)
  6. Use these buttons above the Control Panel as relevant:
    magnifying glass Activates full-screen mode for the Data In-Sight chart
    wrench Opens the Chart Settings
    close icon Closes the Data In-Sight chart
    question mark Opens a pop-up help