May 7, 2009 12:43 PM
From the Editors of The Geek Weekly
By day, security architect Jack Whitsitt creates data visualizations of hacker attacks -- sometimes using hundreds of millions of events’ worth of information -- forming images that look like distant galaxies.
These works of art have a second life -- on Second Life, where Whitsitt runs a virtual gallery that shows his data visualizations. Aside from adorning real and virtual galleries, his work has been used by data analysts to track hackers’ movements and discover when and where security systems went wrong.
We spoke with Whitsitt about his unique and innovative work, and here is an excerpt.
Q: How did you start creating these visualizations of security events?
A: In 2003, I started doing basic ideas analysis. I worked for a managed security services company. We had some of the largest companies and federal agencies as customers, so we were looking up to sixty million event points per day. We ran a visualizations tool that’s typically used for business analytics. I found it much more intuitive for our analysts to deal with color, shape, line, and form than for them to deal with texts. It was so successful that I even taught my younger siblings to look for hacker attacks, and they were able to at least see the basic stuff that our trained analysts would look for.
Q: Could you tell what kind of hackers they were, based on the visualizations?
A: There were a few different things that we looked for, indirectly. For example, we’d get the hint that something’s happened, and we’d use it as an investigation tool. So then we’d go and do the visualizations back in time to investigate that particular thing to validate it -- to see if it was normal traffic and get a feel for the nature of the attack and what was happening. In some cases we could get a feel for who was doing it, but more often just the nature of what was happening.
Q: So this all started as a better way of communicating the security landscape you were observing?
A: From a communication perspective, it was so powerful. We had a window that showed potential customers what we were doing, and my monitor was facing the window so that people could see the scale of the work. We’ve done numerous reports with it for executive and sales management. I would interview people with the visualizations, actually. I would give them the data sets and some basic background and say “talk to me about it.” It’d give a feel for who could think abstractly, because we were looking for really abstract thinkers.
Q: What gave you the idea to showcase the work as art?
A: My own interest in how it looked. I worked in a lot of open-ended shows for lots of people and wanted to show something that you might not normally see in a white-wall environment. It was something that I hadn’t seen before and that looked interesting. I also like putting up art that has a story behind it. People responded so strongly to the visualizations aesthetically, including myself, that I put them in the Artomatic 2007 show, using some of my own data.
Q: Each one looks different -- some like fractals, others like little Doppler shifts. Is there any guiding principal in how these visuals play out?
A: From the art and technical perspective, you have to have some understanding of what the underlying information is. So one of the things that I did on the back end is shape the data. I kind of suspect that these relationships will be important in the future, based on my own knowledge and background in security.
One of the more interesting ones that looks like a galaxy or stars was probably the least useful to us, but there’s some actual math represented, so the pattern tends to look more concrete. The more normal and less abstract it looked, the further in analysis it was. It’s interesting: We have 700 million events there at once. You can fit 100 in text on a screen at once. But you can still see pattern in there. You can still see dense blocks, then you realize that’s a graph of seven days of information. You see scans, like, you can see someone scanning customers or multiple enterprises at once. If you put the information together ahead of time based on what you know those relationships will be, you can see those patterns kind of pop up.
Q: Did you have any revelations looking at the information presented in this unusual format?
A: What was really useful -- and it’s not one of the glamorous things we track down but one that I know saves us a ridiculous amount of work -- is that we were trying to track down a firewall rule change. Somebody made a change, and we didn’t know who it was or what it was -- it was just acting funny. So we threw all of the traffic from that firewall for that time period together. It was so much information that to do that manually would have taken another week, which could have cost them a great deal of money, and they would have been vulnerable for that time. Using the visualization stuff took less than a day. That was one of the most monetarily striking things that I’ve seen.
Q: Are you planning on making more visualizations?
A: I’m looking at doing more, but more language focused. I want to look at the AOL search set that was released a couple of years ago to create a visualization of all of the search results and queries. Professionally, I’m modeling information security at a much higher level than I was at that time. Artistically, I just did a piece at the Sears Artomatic that I wrote the code for in python, to do a self-portrait. I’ve been thinking of self and identity a lot professionally. A lot of what security is based on is trust. Online, there are 30,000 different ways to represent who someone is. So the mosaic identity and things written in code are different ways to show the representation of what someone can be.
Q: So you’re looking at the bigger picture, like the evolution of security software?
A: A few years back, everyone was watching for the big, high-profile security breach, whereas now the threats for consumers -- like identity theft -- are quiet and behind the scenes. There are some theories that a lot of what you saw earlier was simply testing techniques for what they’re doing today. From where I look at it, at the technical level, there will always be vulnerabilities and something attacking, so from my point of view, at a business level, you have to make decisions ahead of time. Poor business decisions drive a lot of security breaches. People don’t understand their network, so they can’t protect it. They have to know who’s accessing it, what people are allowed to do with it, and in what context. That’s all information that’s not understood now. You can do all sorts of technical solutions, but until you know the information and understand what you can do with it, it’s going to be a really inefficient, expensive process. That’s professionally where I am. I’m trying to take the art here as well, with more abstract concepts.