“If you look at log files or system events to understand what is going on in your machines or in your network, a lot of people look at their textual logs.” The goal is to take network traffic, intrusion defense system and firewall data and begin visualizing pieces of it to create an overall picture of the company’s security posture. When you start developing the appropriate chart or graph to better flesh out the data, you can begin to see patterns and sometimes certain pieces of information stand out, Marty said.
Firewall log files would be useless with little domain expertise on staff to help generate graphs.
Marty has released a Linux CD called Data Analysis and Visualization Linux (DAVIX).
“With firewall log files, you don’t need to know what specific IP address is connecting to me from the outside,” Marty said. “You can cluster it to get a general idea of what happened and then if you want to drill down you can open up that cluster.” For example, a chart or graph could help visualize violations per Payment Card Industry Data Security Standard (PCI DSS) requirement, helping companies determine where they fall short of the standard. It can be used to audit large database management systems, such as Oracle and Microsoft’s SQL-Server to figure out who accessed a particular table, and whether the database table was altered.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1327341,00.html