Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security Deliverable D4.3.2 Visualisation to simplify complex information

ion In general, but also especially in the context of TRESPASS, abstraction is important in relation to the goal of mitigating what can be an overriding complexity in some scenarios, that may confront the user of TRESPASS tools. It is also worth stating that risk assessment itself is a form of abstraction that enables a security practitioner to order contextual data and spotlight particular facets of the context before analysing it. The ways in which abstraction can be used are: • Initially in relation to formal modelling, for example, abstraction is needed to organise a view of the relevant infrastructure items, as well as to present a view of all of the actors and their behaviours. Simplifying these for the purposes of visualisation also tackles the more subtle features of these behaviours during iterative stages of modelling; secondly, • In the visualisations abstraction can be used to mitigate complexity and information densities in a constrained visual space. 3.2 Using standard interaction techniques to respond to complexity within the ANM The abstraction techniques are manifested in standard interaction techniques and these techniques have been deployed in the ANM in order to reduce the visual complexity of a particular aspect of a complex risk scenario. Possible approaches to tackle the visualisation of complex systems include: Filtering/highlighting/sorting filtering and/or highlighting and focusing can be used to select a subset of elements to reduce visual clutter; similarly, sorting of elements enables the focus to be confined to a subset, utilising a metric for the purposes of ranking Exploiting visual form and representative functions utilise visual form and well-known representative functions to allow quick and high-level recognition, e.g., the hover function to foreground virtual machines involved in a specific flow of information (see Figure 4.4) Using abstractions use abstractions in the set of elements to allow grouping ‘similar’ elements and combine into fewer elements in order to visualise effectively 2016-10-31 ICT-318003 11 3.2 Interaction techniques within the ANM D4.3.2 v1.0 Overview and drill-down give an overview of the total system, possibly starting with higher-level abstractions of subsystems, while allowing drill-down into individual subsystems to show more detail. This approach is explored for example with the “alluvial” view of relations between physical and virtual servers in TiCoVis (see Figure 4.3) Multiple views show multiple views of the system from different viewpoints or ‘gazes’ to highlight different aspects of the system at the same time in a coordinated-visualisation (North & Shneiderman, 2000) Some of these approaches can be combined for additional benefits, e.g., multiple views of the system are especially helpful when selections in one view are coordinated with all other visible views to see the selected entities in the different contexts and perspectives. In the remainder of this deliverable we report on two prototypes that deploy these techniques to visualise two particular aspects of advanced information security risk assessment in the cyber realm. 2016-10-31 ICT-318003 12 4 Visualising complexity in the Cloud scenario D4.3.2 v1.0 4 Visualising complexity in the Cloud scenario The Cloud use case in TRESPASS task T7.2 enables us to use our general approach to visualising complexity and to specifically develop some new tools. The cloud represents the three spheres that we use within TRESPASS visualisations, namely social, technological and physical: • a physical setting with rooms, doors and windows where, e.g., physical infrastructure pieces of a cloud environment are situated and where the different actors have access and can move, • software-defined virtual parts, like virtual machines, virtual network and storage, situated in an abstract and completely separate space, and • the social space where a distance between actors defines weak or strong relationships. At the same time, the physical elements (e.g., servers, network) can range in the tens of thousands, the virtual, software-defined components (e.g., virtual machines) can range in hundreds of thousands. In addition, there is typically a very large number of users of the cloud infrastructure and rather few, but very powerful, administrators. All these elements will interact (cooperating or interacting maliciously) leading to a complex behaviour over time, which leads in effect to a Complex Adaptive System—compare the discussion in The TRESPASS Project, D4.2.1 (2014). In the following, we show our work to represent a cloud environment as an example for a complex environment in a visually understandable way. Section 4.1 makes the start by showing work earlier during the project depicting a live cloud environment in real-time as a general graph. During this work we found that there is still a lack of visualisation making changes over time understandable in the current state of the art. Current software for managing cloud environments, like VMware vCenter or the Horizon dashboard of OpenStack, focus on the current state of the infrastructure and the ways to configure and manage the system. Corresponding monitoring tools, although showing the time aspect, are focused on technical details like memory or CPU utilisation, rather than changes of the structure or access control role. These changes are hardly visualised at all and mainly contained in text-based log files. Identifying changes in a complex and highly dynamic system is difficult but is a necessary aspect of cloud risk assessment. Missing relevant changes may lead to failure identifying violations of required policies, or missing steps indicating an intrusion (from the outside or 2016-10-31 ICT-318003 13 4.1 Live Visualisation of a cloud environment – SAVE D4.3.2 v1.0 by an insider). We can therefore see that failure to identify the changes that have taken place over time is a significant risk vulnerability in cloud administration. If we refer back to the visualisation challenges for TRESPASS that we stated earlier in this deliverable, we can see that our work in this deliverable responds to these challenges in a particular way: • The visualisation prototypes presented here identify the visualisation principles that enable the social (in this case cloud actors), technical, physical and organisational (particularly the administrative) changes to the cloud environment to be visualised both as an integrated whole and within their individual dimensions; • Develop visualisation techniques to respond to the challenges of change over time based on the visualisation principles identified; and • Develop general and specific techniques for visualising the inter-relationships between the social, technical, physical and organisational components and thereby enabling cloud administrators to identify potential vulnerabilities in the cloud environment resulting from system and configuration changes. As cloud systems, be it private or public, are highly attractive targets for intruders there is a high risk for attacks that might occur in smaller steps over a long period of time (e.g., in Advanced Persistent Threats (see for example (Fernandes, Soares, Gomes, Freire, & Inácio, 2014) and (Five, 2011)). Making changes of a cloud system more easily understandable by visualisation therefore is a means to handle such advanced risks. For this reason we have put our efforts into prototypes looking especially into visualisations to make changes of the system understandable. The two following prototypes, TiCoVis described in Section 4.2 and CEAV in Section 4.3, aim to give on the one hand a direct representation of change over time for a specific type of relation (in TiCoVis) and on the other hand a more complex structural representation of the cloud environment for selected time intervals, both focusing on change occuring over time. 4.1 Live Visualisation of a cloud environment – SAVE SAVE is a data extraction and policy analysis tool that was developed by IBM as part of the EU FP7 TClouds project (TClouds, 2013). The policy analysis required a simple network topology that the SAVE data collection engine built from information extracted from a number of cloud operating systems. During the TRESPASS project the data collection engine was extended to capture a richer set of information better suited to the requirements of the TRESPASS modelling language developed in WP1 (see The TRESPASS Project, D2.2.2 (2015)). The extended data extraction capabilities, in particular the ability to capture a consistent snapshot of a virtualised infrastructure were later transferred to an IBM product. As part of these extensions, work in the TRESPASS project on the visualisation of the status of the cloud environment focused on visualising the detailed system state in a live 2016-10-31 ICT-318003 14 4.1 Live Visualisation of a cloud environment – SAVE D4.3.2 v1.0 graph presentation (see Figure 4.1) for exploration and real-time highlighting of policy violations (see Figure 4.2). Detailed description of the work on security analysis and policy checking can be found in Bleikertz, Vogel, and Groß (2014) and Bleikertz, Vogel, Groß, and Mödersheim (2015). Figure 4.1: Graph visualisation of the live cloud environment state (using Gephi1). Different colors indicate different component types like physical servers, virtual machines, storage, network. The interface allows zooming and selecting components for a more detailed exploration. Following on from this work, we investigated how the changes in a complex cloud environment could be visually represented, to allow understanding in a visual way of the history of the system and some of the associated risks in that history. This lead to the prototypes described in the next two sections. Gephi The Open Graph Viz Platform at https://gephi.org 2016-10-31 ICT-318003 15 4.1 Live Visualisation of a cloud environment – SAVE D4.3.2 v1.0 Figure 4.2: SAVE Visualisation showing a policy violation occurring because of a disallowed network connection between test and production machines. 2016-10-31 ICT-318003 16 4.2 Time-Containment Visualiser (TiCoVis) D4.3.2 v1.0 4.2 Representing selected containment-relation over time – the Time-Containment Visualiser (TiCoVis) The Time-Containment Visualiser (TiCoVis) creates an “alluvial” view of a selected “container-content” relation, e.g., between physical servers and virtual machines, over time. In an alluvial diagram, time is an integral part of the visualisation and the “flow” of contained elements between containers over time is directly visible as it is laid out spatially. Zooming and panning functionality allows the big picture to be viewed over time as well as details for specific time intervals. As in this prototype the focus is just on one specific containment-like relation between two types of instances, here the placement of virtual machines on physical hosts, it is possible to explicitly show time as one dimension of the representation. However, the large number of elements and change events require steps to visually summarise and focus on changes rather than unchanging elements. Figure 4.3: The alluvial flow of virtual machines contained by physical hosts over time. Figure 4.3 shows the entry screen of TiCoVis with the representation of data from a live medium-level private cloud (for protection, the data is suitable anonymised – a cloud administrator would of course see instead the host names with which they are familiar). The different horizontal bands represent physical host machines over time, the width of the bands indicates the number of virtual machines deployed on that host. Rectangles represent a host at a specific point in time, when a change occurred for this host. Flows are coloured with a gradient in order to further clarify visually where changes are occurring. 2016-10-31 ICT-318003 17 4.2 Time-Containment Visualiser (TiCoVis) D4.3.2 v1.0 Figure 4.4: Same screen as above, showing that hovering over connections or host rectangles gives details of virtual machines remaining respectively moving between hosts (for connections) as well as joining/leaving/new/deleted virtual machines (for host rectangles). Time is represented in the horizontal axis. The upper part shows the main information for the time interval selected in the timeline at the bottom. The timeline summarises the available data as a fixed full interval by placing red markings for all change events, giving a direct indication where, respectively when, changes occurred. Hovering over flows or host rectangles will dim all flows except the ones connected to this flow/host and show information of the involved virtual machines and related changes in a tooltip (see Figure 4.4) – animations of the features described here can be found at our visualisation showcase at https://visualisation.trespass-project.eu/?p=55. Zooming and panning is enabled on both the data area and the timeline for easy selection of arbitrary time intervals, enabling to identify time intervals dense with changes (see Figure 4.5 for a detail). However, at some time intervals so many changes were done to the system that marking each change by a rectangle would lead to complete overload. For these time intervals, the entries have been summarised into special summarisation nodes (double the width of normal nodes with slightly darker color and a pattern indicating how many events are summarised within). This can for example be seen in Figure 4.3 in the lower right hand side. Zooming into this time regime will gradually unfold the contained nodes (shown in Figure 4.5). 2016-10-31 ICT-318003 18 4.2 Time-Containment Visualiser (TiCoVis) D4.3.2 v1.0 Figure 4.5: The alluvial flow of virtual machines contained by physical hosts over time zoomed to a smaller time-interval, resolving previous summarisation steps. Hovering gives details of virtual machines joining/leaving as well as new/deleted for the specific host. 2016-10-31 ICT-318003 19 4.2 Time-Containment Visualiser (TiCoVis) D4.3.2 v1.0 To clarify the specific steps used to simplify the large set of data, we show intermediate stages of the visualisation work in Figure 4.6–4.8: Figure 4.6: Step 1 of visual data representation original data set (630 nodes, 655 links). Figure 4.7: Step 2 of visual data abstraction: eliminating unchanging host information reduces the data to 89 nodes & 114 links. A timeline is added to highlight in summarised form at which times changes occurred (red markings in timeline), as well as to select a time-interval to focus and zoom in. 1. Figure 4.6 shows the original data consisting of 630 nodes and 655 connections. 2. To reach Figure 4.7 unchanging elements of the data have been reduced (leaving 89 nodes with 114 connections), additionally introducing an overview and selection timeline marking changes in the data. 2016-10-31 ICT-318003 20 4.2 Time-Containment Visualiser (TiCoVis) D4.3.2 v1.0 Figure 4.8: Step 3 of visual data abstraction: highlighting changing elements as opposed to unchanging, as well as cleaning up unrequired labels. In the final step 4 of abstraction, leading to Figure 4.3, special summarisation nodes are introduced where existing nodes are too close and overlap. This reduces the data visually to 56 nodes & 81 links. 3. In Figure 4.8 focus has been put on changes by highlighting virtual machine movements between different hosts as compared to virtual machines staying on the same host. Gradients in the connections further strengthen the visual appearance of change times; overlapping and unnecessary labels have been removed. 4. As a final step, summarisation nodes replace overlapping nodes, indicating by the density of the vertical stripe pattern how many nodes are summarised. In summary, this visualisation uses a novel combination of an alluvial flow representation with an explicit time scale with fluid summarisation/unfolding during zooming in the time scale. 2016-10-31 ICT-318003 21 4.3 Cloud Environment & Actor Visualiser (CEAV) D4.3.2 v1.0 4.3 Structural representation of cloud/actor system – the Cloud Environment & Actor Visualiser (CEAV) The Cloud Environment & Actor Visualiser (CEAV) visualises a cloud environment, including infrastructure such as physical servers and virtual machines as well as cloud actors. The environment is depicted over time with a focus on the roles the administrators have on parts of the infrastructure. As cloud environments typically have a large number of components, the view abstracts/summarises unchanging parts visually, allowing the user to focus on the changing elements over a given time interval. The time interval of interest can be selected from a timeline that indicates changes in an overview of the available date range. Representing the overall cloud environment including its actors does not leave room for the explicit representation of time as a spatial dimension (as in TiCoVis). Therefore in this prototype snapshots of the system state, and respectively highlighted changes during a selected time interval, are shown together with a timeline to summarise times of change as well as to select the time interval for which to show changes. Figure 4.9 shows the initial view of CEAV, again for data from a real medium-level private cloud (for protection, the data is anonymised – a cloud administrator would see instead the user and infrastructure names with which he is familiar). This more complicated view shows on the left hand side the various cloud actors (represented by their user ids in the cloud), and on the right hand side a depiction of the parts making up the cloud infrastructure. Both parts are connected by role links that show what level of access control the actors on the left have over which part of the cloud infrastructure on the right. The infrastructure parts form a hierarchy through parent-child relationships (as given by the cloud management backend, here VMware vCenter) that is essentially used for grouping of similar types of the infrastructure. Additionally there are many other types of relations between the elements, e.g., the containment relationship between virtual machines and physical hosts, as exploited in TiCoVis above. These relationships can be highlighted and named when selecting individual elements as is shown in Figure 4.10 – animations of the features described here can be found at our visualisation showcase at https://visualisation.trespass-project.eu/?p=216. This structural representation of the cloud environment is accompanied by a timeline below that shows the full range of observation available, marking again where changes occurred (where red marks changes in the infrastructure, blue a change in actors or roles). In this way, administrators are able to identify social, organisational, technological and physical changes to the cloud environment and consider these changes as vulnerabilities both within their individual domains and as a composition. This is in-line with the visualisation challenges identified and with WP4 responses to such challenges. As the structure here is more complex and there is typically a large number of cloud infrastructure elements, the representation focuses on changes occurring in the time interval selected in the timeline. Hereby a red colour signifies vanishing, a green colour newly introduced relationships in the graph. To keep the representation visually readable despite the large number elements, abstraction is employed here to summarise similar elements 2016-10-31 ICT-318003 22 4.3 Cloud Environment & Actor Visualiser (CEAV) D4.3.2 v1.0 into nodes marked ’Unchanging’ together with a counter of summarised nodes (on this particular hierarchical level, each of which potentially represents a much larger number of lower-level elements). Figure 4.11 shows the selection of a smaller time interval around the time where the role changes occurred. Hovering over the role connection shows details of the role type and the explicit user respectively infrastructure element. Figure 4.9: Changes of the cloud environment over time. The upper part shows the cloud actors to the left, the cloud infrastructure parts to the right, while connecting both parts by showing the access roles the actors have on the infrastructure. A timeline below shows where changes occur (red for changes in the infrastructure, blue for access role changes), allowing the selection of a time interval for which the changes are summarised and highlighted above. 2016-10-31 ICT-318003 23 4.3 Cloud Environment & Actor Visualiser (CEAV) D4.3.2 v1.0 Figure 4.10: Changes of cloud environment over time: selection of one element makes it possible to see the relationship with other elements of the infrastructure by highlighting the corresponding connections. 2016-10-31 ICT-318003 24 4.3 Cloud Environment & Actor Visualiser (CEAV) D4.3.2 v1.0 Figure 4.11: Changes of cloud environment over time: selection of a smaller time interval around the role change shows the correspondingly different set of environment changes. 2016-10-31 ICT-318003 25 4.3 Cloud Environment & Actor Visualiser (CEAV) D4.3.2 v1.0 In the following figures we again show the major steps leading from the original dataset to the final prototype: 1. Figure 4.12 shows the original complete data without any time indication or notion of change. 2. In Figure 4.13 a timeline is added showing the change events, allowing the selection of a time interval for which changes are highlighted in the structural representation. As can be seen, this representation is still hardly readable due to the large number of elements. 3. Introduction of the summarisation of unchanging elements leads to the prototype as it is shown in Figure 4.9. Figure 4.12: Structure of a cloud environment: original data without time selection. In summary, this prototype is able to show in a visually understandable way changes occurring in a cloud environment, be it on the infrastructural side or the cloud actors. A special focus is given to the access roles the actors have over the cloud infrastructure. This is done by combining a timeline showing changes over the time of data collecion with a structural representation focusing on change during a selected time interval. Due to the large number of elements, this requires a strict summarisation and abstraction of unchanging elements to generate a visual representation that is still readable. Using this technology, cloud administrators are able to identify where vulnerabilities are introduced by both individual and compositions of change to the cloud environment. 2016-10-31 ICT-318003 26 4.3 Cloud Environment & Actor Visualiser (CEAV) D4.3.2 v1.0 Figure 4.13: Structure of a cloud environment: addition of timeline and highlighting changes occurring during the selected time interval. 2016-10-31 ICT-318003 27 5 Evaluation D4.3.2 v1.0