Taking the net-flow data, we’ll compare the IP address against the SIEM’s database and a time stamp of that entry. If there’s no entry, then we can consider that the connection is safe. If there is an entry, depending on the time of the connection we’ll consider it hostile or a live hostile event. We then take those IP addresses and classifications and get their latitude and longitude with a Geo Location database (free ones are not as accurate as paid). After we’ve compiled this list, we simply tell Google Earth to draw the connection points and you get a picture like below.
I won’t take credit for these idea’s directly. The first came as inspiration after viewing this XKCD comic http://xkcd.com/350/ and creating a honey net just for this similar purpose. The Google Earth rendering came from seeing Mike Kershaw’s map at The Last HOPE where he was only rendering net-flows with no threats. However, you can already tell already the value that your data has within your network, it’s just how you want to picture it.
Popularity: 2%
2 Comments
Have you seen this tool: http://code.google.com/p/cosight/
@Travis-
No, I haven’t seen that tool. But it certainly seems that we’ve done the same thing.