Photo Credit: rica1786 via Compfight cc
Sherlock Holmes is universally recognized as the quintessential investigator. His powers of observation and unshakable focus solved numerous mysteries. Of course, these traits have their negative effects as well. Holmes had only one close associate, Dr. Watson. Holmes’ excessive devotion to his work was to the exclusion of most other things. Yet, it was precisely this focus which enabled Holmes to be as consistently successful as he was.
How can we employ Holmes’ techniques to problem management and incident response in information security? The simplest formulation of Holmes’ approach is “Observation, Deduction, Knowledge.” This framework can help us effectively apply our limited resources to these challenges. Explore the framework and see if it will strengthen your firm’s security posture. The Holmes’ quotes below come from The Complete Sherlock Holmes, by Sir Conan Doyle.
Observation
“How dangerous it always is to reason from insufficient data.”
People typically think about problems by trying to brainstorm possible causes, and then explore them. We are encouraged to innovate, follow our own path, and so forth. This thinking proceeds from cause to effect. Deductive thinking takes the wide range of identifiable effects and analyzes each one to discover the unifying and underlying cause. It proceeds from effect backwards to cause. This is a painstaking process, but it more reliably produces the true root cause. Once all possible effects of a security incident have been collected, the deduction phase of analysis can begin.
Deduction
“How often have I said to you that when you have eliminated the impossible, whatever remains, no matter how improbable, must be the truth.”
After observation, analysis proceeds to the discipline of deduction. Use logic and the observations carefully collected prior to analysis to eliminate impossible causes. This phase of analysis can benefit from rigorous approaches such as the Analysis of Competing Hypotheses (ACH). Unbiased exploration of each hypothesis will help eliminate all impossible or untrue scenarios. The remaining scenarios are the ones actually supported by the facts found during the observation phase.
Knowledge
“You know my methods. Now apply them.”
Knowledge comes from the disciplined application of sound methods to verified facts. Anything less is guessing. Educated guessing, perhaps, but nonetheless guessing. All efforts spent in improving the disciplines of observation and deduction cannot but help to improve the quality of knowledge gained in information security analysis.