Network forensics gets a ‘Minority Report’-style UI

Has dummy-proof network forensics arrived? A recent YouTube video from network security software vendor NetWitness, which shows off one of the coolest UIs ever, makes that prospect seem likely.

The video is a promotional trailer for a new Visualize module for NetWitness’ Informer product — a kind of security information and event management product that works on top of NetWitness’ network traffic capture platform. View it on YouTube and fast-forward to around the 3:50 mark to check out the bit on Visualize.

[ Also on InfoWorld: “Black Hat and Defcon to focus on critical infrastructure.” | Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

As the name suggests, the cool thing about Visualize is its ability to render network traffic graphically. Instead of merely logging that Paul was viewing his holiday photo album on Flickr or sending out a PDF over his Gmail account, or regurgitating the session data in a text file, an analyst using Visualize would see the session as the person who conducted it did — viewing the actual photos and documents.

Visualize lets analysts do this across a swath of thousands of network sessions — that is, individual sessions rendered not as abstract strings of binary or hexadecimal data, but as discrete blocks of “stuff,” including images, application data, documents, VoIP sessions, and other rich media that can be manipulated, drilled into, and otherwise poked at.

Clicking on one of these blocks allows analysts to pivot to other related sessions and data (say, display all the images associated with this user or IP address). It all brings to mind that amazing scene from the movie “Minority Report” where Tom Cruise, playing Chief John Anderton, conducts a fast moving “pre-murder” investigation using a wall-size, touch-sensitive GUI that lets him manipulate images and video data and feeds from many sources with the aid of nothing more than a wacky, three-fingered glove.

That film, which came out in 2002, anticipated many of the advances in graphical interface and touch-sensitive displays that have appeared in the years that followed — not least of which are the iPod Touch, iPhone, and iPad. But it has even more powerful devotees in circles like defense and computer security, where adaptive, persistent adversaries like those behind the “Aurora” attacks on Google and other prominent Western firms put the focus on correlating discrete bits of data that can identify the who (hacker, terrorist, state actor) and not just the what (virus, bot, Trojan).

This isn’t about tooting NetWitness’s horn. The gee-whiz stuff in the company’s promo video disguises an awful lot of customization and integration work on the back end that requires a subtle understanding of networking. With prices starting at around $200,000, this is software and hardware for government agencies and large, wealthy companies facing sophisticated threats — not gear you’re gonna buy at Fry’s any time soon. Besides, NetWitness isn’t alone in this game. Other vendors offer similar types of capabilities, or they will soon.

But I think you can look at Visualize and, well, visualize a future in which specialized skills like network forensics and cyber investigation are just a lot less specialized (and less expensive) — and that’s a good thing. This, of course, shouldn’t surprise anyone. We all know that technology has a tendency to democratize what had previously been specialized skills. I spent two years in high school learning darkroom techniques such as film development and dodging and burning. Now anyone who can punch in a license key and navigate a drop-down menu on Photoshop or GIMP can perform those tasks with far better accuracy than I ever could.

So too in the world of software development — as we recently noted, new business process modeling and application development tools have lowered the bar for those wishing to join the ranks of developers, as well as lowered the premium for college-trained computer science majors. Tools like Visualize transform tasks that once demanded rarified skills into something almost any intellgent person can accomplish. The larger question is whether that will correlate to an improvement in the security of public and private organizations. The jury is still out on that matter.

This article, “Network forensics gets a ‘Minority Report’-style UI,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.