Am I getting hacked right now?
System administrators spend most of their day asking that question and the tools they get to answer it are long log files with unassociated events and people complaining when something breaks. Instead of looking at logs let's make that data tell a story.
This graphic tells the story of bad logins over half an hour in a large company. Hackers often start by making failed logins, but it's tough to tell the good guys making typos from the real bad guys. You can't set a warning for every time someone mistypes their password.
This graphic starts with a baseline of all the successful logins in the time period shown in gray . When there's a bad login we assign the computer it came from a color. When that computer uses the same username over and over we move the dots up. Move your mouse over each dot to see some more information.
Mr. Pink in the HR Database looks pretty safe. He tried the same user a few times and then finally got the right password. Mr. Pink just has fat fingers. Same with Mr. Green or Mr. Beige in the SAP Payroll System. Mr. Pink also tried to log into the Payroll Processing system, but he gave up after three tries.
Ms. Gold looks like a computer. We're making her gold because she looks a little suspicious. She's trying the same username over and over again in three different systems at the same time. She's also going faster than anyone could type. Ms. Gold may be a computer, but she doesn't look dangerous. Many people configure Windows to automatically login for them and it looks like Ms. Gold just has her computer set with the wrong password.
Mr. Red is different story. Mr. Red uses many different usernames in a short time. When he finds a username he likes he keeps trying it with different passwords. He also tries different usernames at the same time. Mr. Red is a bad man. Not only does he look like a hacker, but it looks like he found a bug in the system. It shouldn't be possible to tell if a username is valid, but Mr. Red found a way. Mr. Red also successfully logged in as two different users.
This graphic shows you 810 distinct points of data over eight data dimensions. Showing that many log events in a long list is overwhelming, but breaking it up and giving the data meaning makes it possible to know at a glance if your company is getting hacked.
This chart plots:
This graphic was created using HTML, CSS, Raphaël, and a little jQuery.
Created by Zack Grossbart