Fork me on GitHub

Making Data Tell A Story - Bad Logins

Am I getting hacked right now?

System administrators spend most of their day asking that question and the tools they get to answer it are long log files with unassociated events and people complaining when something breaks. Instead of looking at logs let's make that data tell a story.

This graphic tells the story of bad logins over half an hour in a large company. Hackers often start by making failed logins, but it's tough to tell the good guys making typos from the real bad guys. You can't set a warning for every time someone mistypes their password.

73 Successful Logins

737 Failed Logins

HR Database

SAP Payroll System

Identity System

Payroll Processing

Payroll Processing

PeopleSoft

01-FEB
11:00 AM
11:05 AM
11:10 AM
11:15 AM
11:20 AM
11:25 AM

Telling the story

This graphic starts with a baseline of all the successful logins in the time period shown in gray . When there's a bad login we assign the computer it came from a color. When that computer uses the same username over and over we move the dots up. Move your mouse over each dot to see some more information.

Mr. Pink in the HR Database looks pretty safe. He tried the same user a few times and then finally got the right password. Mr. Pink just has fat fingers. Same with Mr. Green or Mr. Beige in the SAP Payroll System. Mr. Pink also tried to log into the Payroll Processing system, but he gave up after three tries.

Ms. Gold looks like a computer. We're making her gold because she looks a little suspicious. She's trying the same username over and over again in three different systems at the same time. She's also going faster than anyone could type. Ms. Gold may be a computer, but she doesn't look dangerous. Many people configure Windows to automatically login for them and it looks like Ms. Gold just has her computer set with the wrong password.

Mr. Red is different story. Mr. Red uses many different usernames in a short time. When he finds a username he likes he keeps trying it with different passwords. He also tries different usernames at the same time. Mr. Red is a bad man. Not only does he look like a hacker, but it looks like he found a bug in the system. It shouldn't be possible to tell if a username is valid, but Mr. Red found a way. Mr. Red also successfully logged in as two different users.

The gritty details

This graphic shows you 810 distinct points of data over eight data dimensions. Showing that many log events in a long list is overwhelming, but breaking it up and giving the data meaning makes it possible to know at a glance if your company is getting hacked.

This chart plots:

  1. Successful logins is the gray dots on the bottom
  2. Unsuccessful logins use all the other colors
  3. Time moves along from left to right
  4. Each IP address uses a different address
  5. The same username moves the dots up
  6. The curves show you username repititions
  7. The system being accessed shows up in it's own swimlane
  8. Risk level is displayed with different colors like red and gold for higher risk

This graphic was created using HTML, CSS, Raphaël, and a little jQuery.

Created by Zack Grossbart