I’ve spammed this particular link everwhere else I can think of, but still neglected to post it here on my blog.

Basically, I was approached a few months ago by a senior editor of Symantec’s online magazine “Norton Today” because they were interested in doing a piece on Art and Security. I was approached because of my old work in security data visualization and the fact that’d I’d started to rework and hang the pieces in art shows like Artomatic and My Space on 7th.

Anyway, the interview went really well (in addition to being a lot of fun) and it’s now online at:

http://nortontoday.symantec.com/features/articles/art_of_security.php

(Edit: This link now appears down after a few months. Symantec has republished the article here: http://www.thegeekweekly.com/feature/turning_computer_vis_into_art/index.html )

They used a few older images in their Flash slideshow (My fault – I didnt get them newer images in time).  These were the originals we used at NetSec to do analysis and which have been in a number of presentations (and were in the batch I sent to ArcSight as examples when they were still developing Interactive Discovery, iirc).

You can find the “art” versions that I’ve hung up in galleries at the following link:

http://sintixerr.wordpress.com/art-versions-of-data-visualizations/

I’m still interested in working more of these, but have been moving from graphing – which was a necessity of the business at the time – into a broader field of ontological information/concept representation in art.

(This is in addition to my media experimentation with / interest in projection. I think Id like to merge these two tracks together in the future, but havent gotten there yet.)

Hey all!

I’m going to be showing some data visualizations at the My Space on 7th art show in Washington, DC starting Friday, July 11 at the Touchstone Gallery! Everyone should come out. I took a look at the space and there’s some interesting work hanging already. (And I have to thank Paige, here, who unintentionally helped me decide what to show…but more on that in a later post.)

Oh. And there will be wine tasting opening night.

There will be three old, but reworked images and one new one created just for this show.  Only one has ever been printed before and they all look pretty fantastic.

The new one consists of two superimposed graphs (a paraplot and a scatterplot) of illegitimate traffic going to/from “jackwhitsitt.com” (that would be, uh, most of it).

The three older ones are:

Destination Port Traffic Volume (global sample)

(Test Data from custom developed SEM correlation  modules)

(Pcap data from 10,000 spam emails)

I will be at Meet the Artists Night May 16th all evening from 6 or 7 until close. If you’d like to come say hi, that would be the best time to do it. Reminder: IM IN SPACE 8 SE D6. It’s just next to the “M” of the Artomatic sign outside.

Someone used this Rod Serling quote today in a post to Bruce Schneier’s blog. It bears repeating.

“The tools of conquest do not necessarily come with bombs and explosions and fallout. There are weapons that are simply thoughts, attitudes, prejudices, to be found only in the minds of men. For the record: prejudices can kill, and suspicion can destroy, and the thoughtless, frightened search for a scapegoat has a fallout all of its own, for the children and the children yet unborn. And the pity of it is that such things cannot be confined… to The Twilight Zone.”

http://en.wikipedia.org/wiki/The_Monsters_Are_Due_on_Maple_Street

Just comments on a previous coworker’s paper that he’s writing on tuning ArcSight. It’s a bit spewy and unedited (and will go to the other blog as a less stream-of-consciousness bit when I start it shortly), but I thought I’d pass the time until a write another art entry (photography is fun!) with it anyway:

What seems to be missing is commentary on the how and why of acting on the information that goes through the ESM – beyond just how the tools to perform those actions work.

By way of example, look at these specific quotes:
1. Normalization also includes translating the severity scales used by the different devices into ArcSight’s “Agent Severity” scale.

2. ArcSight connectors also assign each event to a set of categories (that is, it assigns a category tuple) using six fields derived from the fields included in the events collected by the connectors. These categories are designed to group like events from unlike devices, from two different IDSs for example, say, from ISS and Cisco.

Why does ArcSight do this? What does it mean to my correlation rules? Can I, algorithmically ahead of time, guarantee that the system will “think” about every event I want it to? With almost every single correlation methodology Ive seen – especially including ArcSight’s default methodology – the answer is a resounding “NO”. This means that you (formally) have no idea where your bits are at any point, whether they’ve been aggregated, why or why not, what transformations or decisions ArcSight has made about them, etc.

This methodology failure means that you cannot go back and do formal analysis on an incident that has passed through ArcSight without the original raw events and significant manual labor except by sheer luck (and thats not formal).

Read that statement above again, it’s important!

Basically, tuning the correlation engine (ArcSight) should never be approached from an “I need to get rid of stuff” – pure data reduction – standpoint. You will, probably, ultimately achieve reduction but thats an effect of the effort, not it’s actual goal. What you are doing, rather, is defining your environment (in a very literal sense).

These definitions (filters in ArcSight) then allow you to programmatically create an ontology within your system which defines your information classes, what their properties are, and how they relate to each other. That ontology exists as a combination of your basic filters and your core rules.

Once you know what your classes are, you can then write rules to define what kind of transformation (comparison, aggregation, filter, pass to another rule, send to active channel) ArcSight performs on your events.

Once these basic rules are written, you can then write higher level rules to express your intentions logically: “Show me when any perimeter firewall exceeds its normal state by a factor thats unusual across the enterprise firewalls”.

In that statement, you have to have “Firewalls” defined, what a Perimeter Firewall is, what your enterprise is, what kind of traffic values and ranges firewalls can expect, what your average enterprise data rate is for firewalls, and a host of other things. Unless you have formally created these things in ArcSight’s rule/filter system and can reuse you cant hope to create a scalable correlation engine – youll lose track of what the system is doing and will have to spend time / effort manually retracing how ArcSight got from point A to B and you lose the precision/accuracy of machine correlation in favor of manual correlation under pressure.

Once all of that is in place, you can use create rule classes: Groups of rules that organize and group events, rules that compare them to each other to say something smart about them, and then rules that either present the new events to analysts, send them back for additional correlation, or drop them completely.

I hope Im making some sense here

I would highly suggest checking out this URL: http://en.wikipedia.org/wiki/Ontology_(computer_science)

and:

http://en.wikipedia.org/wiki/Enterprise_service_bus

Ontologies are excruciatingly important to understand if youre doing ESM correlation (not that theyre commonly understood, but trust me on this)

Enterprise Service Bus’s (in Service Oriented Architectures) have a lot of the same requirements and features as ArcSight/ESM’s and are a good model to look at for what ArcSight’s role is in the context of security devices.

For various reasons, I’ve decided to close the SintixErr Gallery in Second Life. Not least of these was the fact that it was costing me $200/month to maintain (including the streaming media accounts). Work has taken on some new angles and that aspect of my life is finally waking from a long slumber and requires my undivided attantion. Correlation, Ontologies, Semantics, Enterprise Architectures, National Security, Terrorist Watchlists, SOA, Enterprise Service Buses, oh my.

I gave a talk at the DHS Security conference in Baltimore recently about Policy Driven Enterprise Security Architecture and was blown away by how few people understand how much the theory driving EA is going to impact the whole connected human race over the next few decades. They typically regard it as a morass of empty paperwork instead of an attempt to solve the fundamental problems we face as we move from the Data to the actual Information Age.

So, I’ll be starting a new blog about these topics in the next day or so. Check back for more info on that later.

In the mean time, check out this fantastically on-point book, “Emergent Information Technologies and Enabling Policies for Counter-Terrorism” from IEEE Press Series on Computational Intelligence. It’s amazing how similar the Security Event Correlation, Enterprise Architecture, and Counter-Terrorism information theory problem domains are.

Also, if you want some dated and dry but still relevant reading straight from the US government, try this (I found it in the above book): http://www.gao.gov/new.items/d03322.pdf

It essentially links EA directly to National Security matters.

(Unrelated Top Edit since this doesn’t need its own post: I’ve added my technical resume to this site in the Pages section if anyone is curious. I’m trying to consolidate the “plethora” of online personalities I’ve built up over the years.)

The past two or three weeks, I’ve been spending a lot of energy in and around the art world (and writing), but have been too busy to actually produce anything myself. This weekend I was determined to change that. For whatever reason, though, I just couldn’t bring myself to do another portrait. Honestly, I think it’s because I haven’t come across any faces that have really inspired me lately. So, instead (and because it had been a long time since I had drawn buildings or anything else that requires real perspective in a piece) I chose to use a slice of DC itself. I wanted to try and make an expressive portrait of a scene completely devoid of people.

What I ended up drawing was a cell phone capture of 3 or 4 unused buildings on Eye Street in Washington, DC just north east of China Town. I had taken it last Sunday while I was out in the area with Art Outlet folk. The street corner isn’t particularly special – it looks a lot like many other DC streets – but I thought the mix of building color (especially the boarded up windows) in contrast to all of the flat gray surroundings would be interesting. The rules I set for myself were: no rulers, no measurement markers, and a one hour max completion time. What came out was this:

(More to come later, this post has been interrupted by an artoutlet.org meeting.)

Now back. As I was saying… The above picture is obviously not going for intricate detail. All of the squares repeating really gets tedious. Instead, I tried to use some of the same techniques I use for face portraits (namely to get down the main details that strike me as the most interesting and core to the feeling of the face) and apply them to a city scene. In this case, I thought these were the specific things that held it together:

• The green window area of the second building
• The burnt/exposed brick area on the side of the second building
• The blue/white split of the third building
• The fire escape on the 2nd/3rd story of the second building
• The window repetition of the furthest (office) building
• The blue dumpster in front of the third building
• The fence next to the second building
• Tree branches and the sign coming in from the right side
• The yellow boarded windows (others were grey)

Once all of these things were represented somehow on paper (just enough so they were recognizeable), the other details didn’t really matter so much and could be fudged. How many windows there are on the last building or what exactly they look like really doesn’t change the character and feeling of the scene at all. The detail of the black car past the dumpster didn’t matter either, the subjects of the piece were the buildings and not the things around them. As long as some bare minimum context was provided, the main points identified above were sufficient for the purposes of expression.

I think the portrait techniques worked and, if not technically brilliant, I think the piece that came out has a definite personality.

(As a side note, I pencil sketched this first and added the conte crayon on top. The pencil itself would never have caught enough of the feeling to allow for an expressionist attempt like this without a lot more attention to detail.)