 After the fact, it's pretty easy to tell if your organization's system has been attacked. We're all familiar with the nightmare scenario of the aftermath of a successful security breach. Compromised servers, lost data, privacy invasions and identity theft are just some of the possible results of such an event. But how can you tell if an attack has just started? This huge amount of data tracked by security monitoring software makes it very difficult to see anomalous activity in the tens of thousands of records that make up even an hour of activity in large organizations. For that reason, data visualizations have served a key role in presenting data in easy to grasp fashion. But even the best data visualizations display slices of data or sections of aggregated information such as these charts. These data visualizations are built on our assumptions of what attacks will look like, what targets will be hacked, what attack vectors will be used, even what geographies, source programs or users are most likely to generate the attack. But attackers are smart and know their technology just as well as the people trying to block them. They not only know how to carry out successful breaches, they often know how defenders will try to foil their attacks. The new IBM Guardian Data Insight Cognitive Visualization addresses this challenge by making no preconceived assumptions about the attack. The first tool to employ cognitive data visualization for enterprise database protection, Data Insight just plays back the log of any recent time period you want to examine, creating and engaging live action display that allows security officers to see an attack as it happens. Let's take a look at how the Data Insight screen displays information. Two planes of data are displayed in the dynamic visualization on the screen. Each shot from an item on the top plane to the items on the bottom plane represents an access request. You decide what the items on both planes represent, client IPs, database users, databases and so on. In this example, the top plane labeled here client IP represents the different users accessing the data, while the bottom plane labeled here database shows the various databases in your organization. The visualization displays a chronological representation of data access activity as displayed in the log below. When viewing a specific time frame of data activity, the ascending count in the component represents the rows of the log as they're shown graphically on screen. Let's take a look at a few different scenarios to see how Guardian Data Insight can display data and help security officers see anomalies and possible breaches. In this example, the items on the top plane are different client IPs differentiated by color. Here we see several different users accessing various databases when one user starts to suddenly very aggressively scan many databases at once. The security officer can then click on that user in the display and see his client IP, enabling swift handling of this problem. Here's another example. In this instance, the entities on the top plane represent different database users separated by color to represent the different source programs being used to access the databases below. The changing colors on this single sphere represent a single database user using multiple source programs simultaneously to access various databases. In a third scenario, the top plane items are database users colored by different client IPs. Here we see a single client IP using multiple database user IDs simultaneously. This means someone on a single machine is using a large number of database user IDs to access a single database. In all these situations, spotting this kind of suspicious behavior would be very hard using traditional or previously available visualizations. In summary, Guardian Data Insight helps security officers see the big picture concerning data access in their organization. This is the first technology of its kind that employs cognitive data visualization for enterprise database protection. It provides an innovative and valuable tool to help monitor and detect attacks while they're happening. For more information, contact us at IBM Security.