The Investigators Labyrinth - A Data-Driven Perspective

Explore "The Investigators Labyrinth: A Data-Driven Perspective" in this 30-minute conference talk by Chris Sanders at Security Onion Conference 2016. Delve into the economics of security, the evolution of Network Security Monitoring (NSM), and the cognitive revolution in Digital Forensics and Incident Response (DFIR). Examine investigations as mental labyrinths and learn how to navigate them effectively. Discover a scenario-based approach to investigation analysis, including key data sources and their impact on analysis speed and efficiency. Analyze patterns in analyst behavior, such as initial data focus, disposition judgement steps, and the tendency to prove or disprove alerts. Gain insights into key phrase mapping and its role in enhancing investigative processes.

Intro
Economics of Security
Evolution of NSM
Symptoms of a Cognitive Crisis
The Cognitive Revolution in DFIR
Investigations as Mental Labyrinths
Navigating the Labyrinth
Studying the Investigation Process
A Scenario-Based Approach to Investigation Analysis
Additional Data Sources
The Compromise
What data did analysts look at first?
Did the first move affect analysis speed
What happens when Bro data replaces
What data sources were viewed most and least frequently?
How many steps were taken to make a disposition judgement
Did analysts investigate friendly or hostile systems first?
Do analysts seek to prove or disprove the alerta
Key Phrase Mapping