Category: Presentations

Unveiling The Open Source Visualization Engine For Busy Hackers at Black Hat 2014

This year marks the first year in my security career that I get to speak at the Black Hat security conference – and I couldn’t be more excited. On Tuesday, August 6th at 2:15pm local time, I’ll be co-presenting Unveiling The Open Source Visualization Engine For Busy Hackers with Thibault Reuille. Here is the abstract for the talk:

The way a human efficiently digests information varies from person-to-person. Scientific studies have shown that some individuals learn better through the presentation of visual/spatial information compared to simply reading text. Why then do vendors expect customers to consume presented data following only the written word method as opposed to advanced graphical representations of the data? We believe this approach is dated.

To help the neglected visually inclined masses, we decided to create a free and Open Source engine to remove the complexity of creating advanced data visualizations. The ultimate goal of the project was to allow for the visualization of any loosely related data without having to endlessly reformat that data. For the visual/spatial learners, the engine will interpret their own data, whether it be a simple or complex system, and present the results in a way that their brains can understand.

Learning, for visual-spatial learners, takes place all at once, with large chunks of information grasped in intuitive leaps, rather than in the gradual accretion of isolated facts or small steps. For example, a visual-spatial learner can grasp all of the multiplication facts as a related set in a chart much easier and faster than memorizing each fact independently. We believe that some security practitioners might be able to better utilize their respective data sets if provided with an investigative model that their brains can understand.

During this presentation, we will show you how you can take any relational data set, quickly massage the format, and visualize the results. We will also share some observations and conclusions drawn from the results of the visualization that may not have appeared in simple text form. We have used this engine within OpenDNS to track CryptoLocker and CryptoDefense ransomware, Red October malware, and the Kelihos botnet. Additionally, specific Syrian Electronic Army (SEA) campaigns, carding sites, and even a map of the Internet via Autonomous Systems have been visualized using the engine.

Interesting data can also be isolated through the use of Python and JavaScript-based plugins that can be easily added to the engine’s framework. These plugins affect the way the data is visualized and allow analysts to make sense of their data as it relates to the question they’re trying to answer. The “big picture” model will help visually inclined incident responders, security analysts, and malware researchers visually stitch together complex data sets without needing a PhD in math or particle physics.

OpenGraphiti, what we’ve named the tool, will be made available the day of the presentation. Having used it at work (and for play) I can tell you that it’s going to blow your mind. See you in Vegas and I hope to see some of my readers at the talk 🙂

Upcoming Talks: ISC2 Congress 2013

deep_dish_pizzaLooks like I get to go to the land of deep dish pizza (Chicago) at the end of the month to speak at the 2013 (ISC)² Congress. I’ll be giving two talks:

3340: (ISC)² – The Five W’s of Securing Dev/Test Cloud Instances
Wednesday, September 25, 2013: 4:30 PM-5:30 PM
S106b – Cloud Track
Software developers, engineers and quality assurance/testers are spinning up cloud servers outside of IT’s control, and, generally speaking, security is the last thing on their mind. Business leadership and product owners typically turn a blind eye to this practice, often referred to as ‘Shadow IT’, because the business knows that letting the software people get their job done faster ultimately results in software getting delivered faster. What many organizations might not know, however, is that this expedited process, often implemented in the name of ‘Agile Development’ or ‘DevOps’, has the potential for increasing organizational security risks.


4340: (ISC)² – When Lightspeed’s Too Slow: Security Automation At Ludicrous Speed
Thursday, September 26, 2013: 3:30 PM-4:30 PM
S106b – Cloud Track
Deploying new or migrating existing applications to cloud architectures introduces a host of new challenges for teams responsible for SaaS product success. Being able to prove to existing and future customers that the servers, applications and customer data are just as safe and secure in a SaaS offering as they were in the organization’s datacenter is almost always a mandatory customer requirement. This session will highlight the business and technical requirements for SaaS product success as well as the new concerns introduced by adopting cloud to deliver products.

Hopefully I’ll see you there 🙂

Please vote for my talks at BSidesSanFrancisco

I’m hoping my readers can help vote up some of the presentations that I am a part of at BSidesSanFrancisco. As such, here is a consolidated view of the presentations:

  • Name: Dave Shackleford (@daveshackleford) & Andrew Hay (@andrewsmhay) Vote for this talk!
  • Title: A Brief History of Hacking
  • Abstract: Phreaking? Captain Crunch? Blue boxes? Not to mention LoD, MoD, and the evolution of cyberpunk in modern society. This may be all Greek to you, or you might know exactly what all of these monikers mean. Either way, come along for the ride as we revisit the beginnings of hacking, as well as the key players that contributed to its growth and notoriety. We’ll cover the early days of phone phreaks and bulletin boards, hacker gangs and 2600, Kevin Mitnick and Cliff Stoll’s story of how a 75 cent accounting error led to an international computer crime investigation. Learn about Bill Cheswick’s evening with “Berferd”, the first Trojan Horse programs, and which “hacker movies” are the most realistic, if that’s even a possibility. Audience participation required – this thing is fast, furious, and ridiculous.


  • Name: Joe Gottlieb,, @joe_gottlieb Vote for this talk!
  • Title: Open Security Intelligence: Art of the Possible or Science of the Necessary?
  • Abstract: As cyber crime and cyber war drive up the stakes involved, security management has become much more proactive – organizations must understand where they are most vulnerable, where they have been hacked, and why. Currently, organizations have *too much* security data and not enough tools to efficiently analyze it.  They have security *content*, but not enough *context* to recognize new attacks or trends that might indicate a breach.  What’s missing is the ability to “mine” security data to find the key bits of information that may define a new attack. With so many logs and data stores from so many systems, network, and security tool vendors, it’s a nightmare to find the key “needles” in the haystacks of security information. This process of mining security intelligence needs to be improved – and it needs to be open. 

    Nearly a decade old, the SIEM and log management market has matured over time and is now widely adopted among large enterprises and government agencies seeking to maintain compliance and respond to security incidents. Unfortunately, most SIEM and log management products constrain end users’ ability to drill down and analyze the data, which is so necessary to drive informed incident response and the continuous improvement efforts originally intended by compliance regulations.

    Led by a panel of security management experts, this talk will discuss emerging use cases that are “prying open” SIEM platforms, analytics and dashboards. Sub-topics of interest will include:

    – How to Walk, Talk and Dream Like a Security “Quant”
    – SQL as Cyber-attack Signature Language
    – Leveraging BI Tools to Mine Security Data
    – Dashboards For All My Friends (CISO, CIO, CEO, Customer 1, Customer 2…)

    The goal of this session is to stimulate an industry dialogue on how best to turn “the art of the possible” into “the science of the necessary” when it comes to truly customer-driven security data analysis. Panelists will include: Joe Gottlieb, CEO of SenSage; Andrew Hay, Security Analyst at The 451 Group; and Dan Ritari, Vice President of Enterprise Information Risk Management at Deluxe Corporation. Come join the debate and help shape the revolution!


  • Name: Andrew Hay, @andrewsmhay, Senior Security Analyst, The 451 Group Vote for this talk!
  • Title: Attacking Cyber Security Marketecture 
  • Panelists:
    – Richard Bejtlich, Director, Incident Response at General Electric
    – Rob Lee, Director, MANDIANT Corporation 
    – Amit Yoran, CEO, Netwitness
  • Abstract: There are likely no terms wielded within the information security industry with greater carelessness than those of ‘Cyber Security’ and ‘Cyberwarfare’. A $55b market by 2015, the nation-state Cyber Security market can not, and should not, be defined by the broad strokes employed by enterprise marketing personnel. Chaired by Andrew Hay, this panel of industry experts with hands-on experience protecting cyber security assets serves to provide unbiased third-party insight into the differences between traditional enterprise security and government, military and intelligence agency-driven Cyber Security. 


Scroll to top