OK, the last post was on the need for an IT CSI flashlight. In this post, we look more closely on how this IT flashlight might work. This flashlight needs to provide the IT sleuth with three things: focus, relationship and intensity. First, focus: what is the equivalent of scanning the room and quickly zeroing in on the body-part splatter on the wall? To achieve this, the IT flashlight must have visibility into the entire data log content of the enterprise (the equivalent of the walls, floor and ceiling), yet, the operator must be able to quickly scan through the data, focusing on one section at a time. The ability to do quick scanning and illumination of the areas that need more focus and elimination of those that are irrelevant is fundamental to the success of the IT flashlight. Unlike automated scanners that require preset rules, the scanning IT flashlight must closely couple man and machine in a learning process where focus is continually improved. Just as Grissom has learned that missing body parts should be looked for under the bed, the IT Grissoms also learn that there are certain event logs and events that are more likely to contain, or be, clues to the crime in their IT environment. This prioritization is a learning process for Grissom and the IT CSI. Over time the accuracy with which the flashlight is wielded, improves.

The second value of the flashlight is showing the relationship between clues; in three dimensions. In the real world, relationships between clues may be discerned by shining light on an area and correlating the visual cues (the trajectory of the beam through the air and the size of the light circle on the wall) with physical cues (the angle of the flashlight in relation to CSI's body and the position of their body, in space). Putting these inputs together, Grissom’s brain is able to continually build three-dimensional relationship models. Likewise, the IT flashlight needs to provide the user with cues that help to establish a digital equivalent. One difference between the virtual and real world is Grissom’s brain-body feedback loop. Somehow, the IT flashlight must also present the user with continually updated feedback that facilitates the creation of similar clue relationship maps. What do these maps look like? Certainly, charts, colors, differing font sizes and even Venn diagrams are ways to plot the clue relationships in meaningful ways. The bottom-line is, to achieve the equivalent of three-dimensional clue mapping in the virtual world there must be a way of generating the equivalent of digital proprioception and the associated mind-body feedback loop.

Finally, intensity. The CSI shining a light illuminates clues with differing intensities of light. In some cases, shadows cast by the flashlight may be more valuable than the direct light, itself. The IT flashlight must also represent this intensity characteristic. By shining on the event logs in the IT data repository, the IT flashlight presents differing levels of intensity by highlighting events with varying levels of frequency. After all, high frequency events may have low significance and the fact that an event occurs at a low frequency (a shadow) may be highly significant. The tool needs to lay out the intensity levels for the IT user, so the user may then make intelligent decisions on the significance of the relative intensities of the events, themselves.