Image courtesy of Stuart Miles / FreeDigitalPhotos.net

Mind Mapping automation in information security log analysis

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Manually reviewing log files has the following problems:

• Time consuming

• Monotonous

• Difficult to prioritize events

• Difficult to visualize important events

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Advantages of Mind Maps

• Visual display of information • Information grouped by device, date-time, type

of event and type of file • Flexible • Easy to add comments and callouts to the basic

Mind Map • Easy to share • Exportable to PDF, Word and HTML • Tree structure • Searchable

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Example of application of Mind Mapping automation

Endpoint Protector

Data Loss Prevention solution

“Make sure sensitive data does not leave your network whether copied on devices, clipboard or through applications, online services and even as screen captures.”

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Endpoint Protector

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Log generated by Endpoint Protector

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Example of a log file generated by Endpoint Protector

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Mind Maps generated

• Events by device

• Events by date-time

• Events by type of event

• Events by type of file

• Events by user

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

EVENTS BY DEVICE

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Log file processed with Mind Mapping automation

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Overview

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

USB – 1

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

USB – 2 (Events)

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

USB - 2

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Webcam

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Network Adapter

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

WiFi Adapter

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

CD-ROM

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

EVENTS BY DATE-TIME

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Level 1

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Overview

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Events in a day

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Events in a day

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Events in a day

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

EVENTS BY TYPE OF EVENT

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Overview

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Level 1

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

File read

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

File rename

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

File delete

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Enabled

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Disconnected

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

EVENTS BY TYPE OF FILE

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Overview

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Level 1

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

url file

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

AVI

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Application

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

EVENTS BY USER LOGGED

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Overview

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Level 1

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

User: Alice Johnson

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

User: John Smith

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

REVIEW PROCESS

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Review detail of a File delete

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Mind Map of the events to review by user logged

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Summary

• Mind Mapping automation is a very useful tool to analyze security logs

• It can be adapted to any type of log

• It reduces the analysis time

• It is very scalable

• It simplifies the analysis of log files

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Image courtesy of Stuart Miles / FreeDigitalPhotos.net

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml

Contact Information

• José M. Guerrero

• jm@infoseg.com

• Slideshare Presentations

(C) Infoseg 2014 http://www.infoseg.com/mi_01_en.shtml