Published on Nemertes Research (http://www.nemertes.com)
Who's The CSI In Your IT Shop?
By Ted Ritter
Created 2008-02-28 14:55

Recently, my wife and I traveled from Virginia to Arizona in a winter migration to get away from the snow, cold and dampness of the DC area. Each night we’d camp in RV parks and for some strange reason the only show on TV was some variant of CSI. Well, it was either CSI or the local bible channel and being the sinners that we are, we always opted for CSI. In watching the episodes – and we must have seem them all – I always marveled at how Grissom and crew always entered a room with a flashlight. Why do they do this? Why not just throw on the lights? Obviously, there are esthetic effects that go beyond my cinematic knowledge. But, there must be some rationality behind this. At the same time, I've been wondering if there is an analogy for an IT CSI? Is there an equivalent IT flashlight?

For Grissom and crew, I can see three advantages of using a flashlight: focus, relationship and intensity. First, the flashlight helps to focus the search by illuminating only the area where it is shined. Second, using a flashlight also creates relevance to the point of search. When Grissom stands at the point of the crime and shines the flashlight on the brain bits on the wall, he gains proprioceptive feedback on the relationship between the victim and the splatter, based on: the angle of his wrist; the position of his arm; and, the visual cues from the light beam itself (the rooms are always dusty or smoky). Finally, the flashlight illuminates a primary area and throws secondary light and shadows on nearby spaces. This varying intensity of the light provides visual cues to Grissom that his brain translates into valuable data; data that is used to determine the force of the impact, the size of the weapon and even the size of the killer.

So, if you’re still with me, what’s the analogous situation in an IT shop? IT CSIs are continually looking for clues to solve the many mysteries of day-to-day IT operations and security. IT Grissoms have two option: throwing on the lights and tackling log files head-on or deploying automated tools that run through the logs to spit out anomalies and associated IT clues. In the first case, the IT CSI is easily overwhelmed with the volume of data resulting in clues being missed. In the second case, he/she is presented with a more manageable subset of data, but there is an inherent dependence on the tool to make the decisions on focus, relevance and intensity. In either case, there is no equivalent of the proprioceptive feedback gained with the flashlight. What's needed is the equivalent of an IT flashlight that may be used to quickly focus on the clues – without overwhelming data - and provide instantaneous feedback to the CSI with information that may be used to assess the relevance and intensity of the clues, themselves.

In the next post, we'll look more closely at the application of the IT flashlight.

The Nemertes Research Group Inc. Copyright ©2002-2008
Source URL (retrieved on 2008-08-29 19:40): http://www.nemertes.com/analyst_blogs/who_is_the_csi_in_your_it_shop