The Art of Analysis: How Analyzing Art Helps Us Be Better Analysts

all right so today's talk these are probably there's one other slide that has a little bit more text on it but the majority of what i'll be talking today it will have pictures so be ready to look at pictures but we'll be looking at essentially art and how that kind of correlates with being a security analyst before we jump into any of the presentation a little bit about me i'm jeff demedian like comedian it's an easy way to remember my name i do have a website to medium.com luckily i got that on there i just have blog posts about things i face in security um from the perspective being a security analyst so i have

been in security since 2014 actually been interested in security since high school so my first role was a security analyst became a security engineer went back to being an analyst became a detection engineer went to analyst instant response analyst if you see the trend i keep going back to being a security analyst it's what i really enjoy doing and before we even go even a step further a lot of the work that i'll be talking here today is based on amy herman's book visual intelligence now amy has trained a wide variety of profession professionals from the medical industry to military cops where those split decisions seconds need to be analyzed very quickly and make the right decisions

so how can you do that and she has this idea essentially looking at art to do that and i found that a lot of her ideas correlate directly to being a security analyst

so to set the tone for the rest of the presentation we'll put on our security analyst hats the idea is we're going to be looking at a piece of artwork i want you to analyze that what that consists of is note taking i want you to document so this could be a pad of paper a pen you know your cell phone you've got a laptop in front of you the idea is you're going to be looking at pieces of artwork i want you to kind of treat it as an analyst and one of the steps is milk tea

so this next slide that i'm going to show you we're going to spend two minutes we're going to take a look at it i want you to make notes on the picture itself and then we'll revisit that slide later on in the presentation and timer starts go

foxes

if he just came in we're looking at this picture we got about another minute or so and the idea is you want to look at it and do an analysis it's kind of like a baseline for us so this consists of maybe writing down notes of what you see and we'll revisit that again

all right two minutes are is up now you wrote some notes you analyzed it a little bit but what i want you to focus on or think about was that two minutes how did that feel to you did that feel like an eternity did it feel like within a minute you were done with the analysis could you use more time yeah everybody is different so there was a study back in 2001 that art museum did they did a survey and they found that roughly when somebody went to a museum looked at a piece of artwork they spent little less than 30 seconds looking at that piece of artwork that's barely anything of course there was people that spent less time there's

people that spent maybe more time but they only spent 30 seconds looking at and i thought well this is in 2001 internet happened so there's things like tic tac youtube all these short videos that but you know in 10 seconds you gotta get something out there because of the attention i couldn't find anything to date like 2022 but 2016 they did the survey again and they had found that it was actually very similar in nature it was actually it went up to 28 seconds in average but the deviation wasn't that different it was about the same

so as we're putting on our security analyst hacks we have a tendency to we see alert in a sim edr we want to answer that quickly we want to get to the final conclusion immediately we don't want to spend any time because we got more in the backlog we got more things to do we don't want to spend that extra time and one of the ideas that i have especially as an analyst when looking at alert is to slow things down take your time and it kind of comes up with this idea of meditation now meditation is the idea of kind of training yourself to focus be aware of what's happening around you one method method i like to do is this

like body meditation so what i'll do is you know you can lay in bed in a chair and you're kind of focusing on parts of your body so your tippy toes how do your toes feel do they feel hot cold can you not feel them is it touching socks is it just touching your shoes and then as you go along maybe you go up to your to your calf to your to your legs do you feel anything do you feel your pant legs is it a warm sensation are your knees swollen and you slowly just progress all the way up to the top of your your head feeling sensations and focusing on that and then you can go back down and keep

going through this pattern up and down but the idea is just to slow down focus i mean we we're closed all day every day but can we say that we notice that we have these clothes on all day every day do we feel every time it touches us probably not you just get accustomed to this so as an analyst it's important to slow that process down so we're going to have you look at another piece of artwork do the same thing as we did previously we're going to spend two minutes looking at it but the difference i'm not necessarily looking you to put in details write things down but if you want to you can but i'm more

curious in trying to use this technique this body skin so start maybe in the bottom left-hand corner of it of the picture look at that section go to the next next section maybe to the right to the left or what have you whatever direction you want to and kind of scan the picture

all right two minutes go and like i said not as important that you write if you get to writing that's great but take two minutes and look at this

so

so

all right two minutes this up now how did that compare to maybe the first time maybe it was easier maybe it was harder but at least this time you had a methodology when you were looking at the painting when you're looking at that piece of artwork and you might have come across something that you might have not otherwise seen i mean the idea of picking this how many people had actually seen this previously raise your hand did you see it too so pretty much everybody in the room has seen this this painting before it was there's a there is a reason why i picked this one is because of that but did you notice anything different

some people did maybe it didn't that's the important thing about being an analyst is slowing that process down looking at the entire picture itself when we when our analysts when we go too fast we might miss a few details that you would might have not noticed and in this painting do you notice maybe a detail that's missing yeah she's missing a finger she's missing a finger yes so the thumb and the forefinger she's missing now could the photoshop been a little bit better of course it's not it's not oh you know it's not the best i've seen but the idea is this is something that we see every day and we just might take for granted so we

go over it we might not look at it as much detail there was a second part from that 2016 study that if somebody had seen a piece of artwork before they're about 50 percent less likely to go up to that painting or that sculptor again they've seen it why would you want to look at it again if they did go up to that piece of artwork again they spent about 12 seconds less looking less time looking at that piece of artwork and this is a big problem for a security analyst you know this isn't a solution this idea of meditation slowing down but when we're faced with a lot of alerts a lot of information that we've seen

previously and we've concluded that as non-malicious or a false positive we start tuning it out in our in our heads already you go up scene mona lisa close that should be tuned but we didn't tune in so we're going to close that close it well there's details that you might be missing because of that so that's the first step is this slowing the process down the second thing for me is asking these questions the who what where when how why questions you know as a kid some some kids might be really good at the why question and that's that's really that's a great thing but as we grow up we start going into industries that tends to i feel like die off we

almost kind of do what we're told we don't question everything that is being asked of us and i think it's a trait that as an analyst we need to reinvigorate i've seen this previously as a security analyst kind of checking another analyst work we got a ticket about sharppound.exe is in the user directory for for a user but don't worry the edr blocked it we're good to go and they closed the ticket my question to them was where did it come from what is sharppound.exe what does it do how does it operate when did that file get there how did the file get i mean there's so many questions that you have to ask but

the analysts never asked those questions it simply got blocked and they moved on so i want you for the next picture that we're going to look at it's only going to be a minute i want you to only ask questions now you can write these down i would recommend probably writing them down so you can refer back to them just ask questions nothing else

so

all right now i know this assignment we were asked to ask ask those questions but how did that compare to maybe the first picture that we looked at how many questions did you ask in the first picture i'm sure there was probably a couple there was some weird things that happened that you had questions about how many more questions are there when you're just looking for questions to ask quite a bit more and there are tons of training material out there for somebody trying to get into the security field but if you notice often those training systems have questions they'll have 10 questions that you have to answer it's already pre-built for you when i'm a security analyst i'm i'm

looking at alerts in a system what questions do i have to follow the ones that i make up so in this picture there are tons of questions i mean the first thing that sticks out to me is why is there an elephant in the middle of a road where is this yeah is are we you know south america north america china like where where are we in this photo what time of day is it what's the season why is there so many people around but we look in kind of like a desolate area

so there's a lot of questions and that's what we should try to strive for as an analyst kind of as a second step is getting those questions now in this this photo i'll kind of give you a little back history i think that's just appropriate instead of leaving you hanging so there was a this picture is taken in late 70s and this is in washington state and there is an elephant trainer that also breeded elephants in this case one of the elephants had escaped and the sheriff's department was essentially trying to run it down get in the sense of capture and corral it back to the area of the trainer had it and and of course this was in the summertime

and during the chase the elephant got exhausted and that's why they put water on so there's a lot to this and we might have never got those answers but we had to ask those questions

so on to the third thing this painting i thought it's pretty interesting it's pretty unique the time period you could probably guess is not not not a current painting i like the colors the two gentlemen there's a lot of items in the background that maybe i can can or can't identify but there's one thing that i have a question about and that's the thing at the bottom now some people might see this and know exactly what it is no question then there's other people that will look at this and not have a clue that's what hap that's that's a job of a security analysis you might come across something that you might not be able to identify

clearly and that's okay that's not a problem but that's when we have to change our perspective on things we have to look at things a little bit different so if you change your perspective with this painting it becomes a little bit clearer doesn't it it's a skull so what does that look like as a security analysis how do we change our perspective we get a bigger alert in a system we can't identify it we don't know what that is how do we change our perspective well sure maybe all of our alerts go into one centralized system that's great but there are other tools that feed into it and sometimes those tools just give us enough enough information to help us

drive more questions so you get a a server in the dmz is making a connection into the network to a workstation now you don't know what that server is how can you change your perspective look at the asset database look at the asset database and course there's nothing in there it's never filled out what you're like okay okay let me change my perspective again let me go to the vulnerability scan ah you see that it's been scanned recently maybe you start getting the idea it's a web server based on the software that has on there and you see that there are vulnerabilities critical vulnerabilities on that web server gives you more information but you want

to maybe take it a step further has there been any changes to that system let's go look at the ticketing system has there been anything happening on that server does did a engineer just change something maybe maybe not all right so we can start understand a little bit more of the picture but maybe we want to take it a step farther we want to change our perspective once again we look at the edr maybe what process was actually making that connection in one now at this point you probably like chuff shut up about all these systems like we get the point yeah change your perspective but that's the idea is that there are many avenues for an analyst to keep

investigating keep digging sometimes we hit a roadblock and that happens but we have to keep digging and looking at other systems and other to kind of put how we're going to investigate this you know get an answer to those questions we can't just have a question and go close we have to get answers now i don't know how this was wondering how it'll turn out but on the big screen not the best of quality sometimes i'm faced with the alert and let's talk about that web server making that internal connection to the workstation is it normal is it abnormal maybe it's normal i have no idea so i have to look at things once again a

little bit different so in the photo this is a before and after photo and the after photo is what kind of drove the investigation so this is a woman that came into a building for she's an assistant to a real estate agent she comes in monday through friday she'll help her out with some documentations if there's anything to get you know photocopy walk her dog what have you she comes in every day she has to check in and on this day she walked into the building like she normally did spend a couple hours at the real estate agent's office left and it wasn't until later when the real estate agent's daughter came to visit that she actually found her mom

murdered now the detectives immediately wanted to start ruling people out so they looked at the boyfriend ex-boyfriends and they didn't really have anybody but the assistant that came and visited her that day all the detectives were focused on this one thing this bag they believed that this bag had everything in there to kill a woman because conveniently the woman said that she had left the bag in a cab and they took off and they lost the bag so there's no no way to to identify what that is so the detective spent tons of time looking at this and it wasn't until later in when a detective actually looked at the whole picture and looked at the before and after

so in the before you see something her pants she's got those cargo pants got those pockets big pockets can't miss them on the side she's leaving the building where's the cargo pants the bag in the bag yeah something they found out later that these pants were put inside out kind of weird right like why would you go into somebody's place assist them which consists of you trying to change your pants inside out and this was kind of like their you know they didn't necessarily have the weapon but they had some evidence hard evidence that this is something wrong something was wrong with substantial that's not hard evidence well it actually in this case when they asked her about

she didn't have an answer and she cracked oh okay she admitted everything afterwards because she had no good answer to this she admitted that she had the weapon with her and all this other stuff so but the idea here is something as an analyst we don't necessarily know everything about every system in the scenario we talked about that that server talking to an internal workstation we go oh that's weird that's got it let's escalate that well is it here did you look at the data data seven days ago did it happen yesterday how long has this been happening now in this if she every day she goes into to see her and she turns her pants

inside out and this isn't abnormal but this was definitely abnormal in this case and kind of helped drive that case forward now i have a little drawing exercise for you we're only going to take a minute so it better be good i want you to finish this drawing for me

okay

oh

good

all right i know i didn't give you as much time i'm sorry i thought this was interesting it's something i saw on twitter and kind of one of the last steps i i kind of say you know investigation is asking for other people's perspectives sometimes when we get faced with a problem an issue you know we've taken our time we've looked at the alerts we've asked those questions we've changed our perspective we looked at other tools but we still can't come up with any answers that's when i say ask other people's perspective on things now when i did this drawing i only had one cat many people had put two cats into the pitcher see somebody else thought of having more

than one cat i i did not when i looked at this i thought one cat the whole time and you know there was some people that had the muscular cat i thought that was interesting a couple of different people had the similar ideas and of course in the center you know two different people came up with almost the exact same conclusion of two cats holding hands now i leave this for this level of perspective to be the last and that's the reason why is let's say we have that alert that web server making an internal connection i will see analysts immediately go oh kevin owns that system let's ask kevin he knows about that system let's ask him

right away they want to get somebody else's perspective right out of the gate they just want that answer immediately instead of taking the time and going through all those other steps that we had previously now kevin will go okay okay jeff yeah my web server what workstation is it connecting to what port is it connecting to jeff at what time of day is it is it been happening daily is it weekly can you can you give me some more information jeff that person will be asking you all those questions as an analyst that you never figured out so i don't have a problem as an analyst asking other people's perspective on things but there should be some time and effort

put in prior so if another person if you are asking for somebody else perspective you can answer those questions all right so we kind of concluded our investigation and that's when we come down to notes some people like writing notes other people do not but when it comes to notes we should have some organizational structure to it now in this picture of course you could just pile up all the candy in one little pile take a snapshot but you see there was some kind of structure methodology that this person had taken with this

so we're going to take a minute and what i want you to do is look at this photo but i want you to structure your notes i want i want you to structure your notes from maybe in this case let's say critical to information

let's just take a minute

so

all right so what was maybe i'm just gonna pick some or somebody wants to raise their hand what is the first thing that they put down for their notes house is on fire there's a lot of other information in this picture but that house on fire is probably would be my first thing that i would mention the second thing i would mention is the fire department is trying to put out the fire but are they there's no one in the bucket then dude in the foreground looks like he's wearing a fireman's colored pen so my third observation is a question and that is why is there a fire in the background and looks like the fire mar fire

department's there but he is buying pumpkins at the farmers market

or was it the elephant that smashed all the people could be the elephant exactly you could be throwing the pumpkin even though we would like to spend a lot of time as an analyst maybe spending 20 30 minutes on every alert we don't necessarily have that luxury sometimes so we have to make sure that we structure our information our notes in such a way that we start to give a picture an idea to somebody else that hasn't looked at this so at saying that the house is on fire is a great description now can we talk about the smashed pumpkins in the front in the foreground sure but does that really tell the story of

what's happening in this picture so give you a little information what was happening in this photo so this is a training exercise for a fire department so this house was uh zoned for demolition and just instead of just like demolishing it they sent in a fire in the fire mart fire department it was going through a practice one now that's why the firemen in the front is he does you know he's not part of this or whatever his part is done so he's like trying to buy a pumpkin for probably something but the idea is we want to structure our notes in such a way that we have that important information at the top and you know we see this in pentos

maybe have an executive summary a high level information of what happened during the penn dust and then of course it comes down to the critical and high vulnerability of findings that need to be remediated immediately we want to write notes as a security analyst in the same kind of fashion now we might want you know like does it matter that that workstation is owned by joe smith no if it you know something else is major going on it might be informational it might lead uh might have that question down the road but you want to put the most important stuff first so this is kind of like the final exam for you guys you know we've talked about

kind of five things that we can do to be better analysts but we're going to take two minutes and i want you to start using these skills i want you to take some time look at the painting section by section maybe i want you to ask those questions maybe you can answer maybe you can change your perspective this could include maybe asking somebody next to you what they think but we're going to take two minutes and use the skills that we've learned today

yes

um

oh

um

ross socks just for your presentation to play diddy okay

all right before we grade the final exam i want to go on one detour first

you take a second look at it

i want to talk about one thing prior to to going on to the final exam here and it's this idea when an analyst when you write your notes sometimes i see animals put their feelings into an alert notes they they'll put their their feelings on how they feel at that time i've seen somebody say hey this alert this is a connection to the do and that happened you know there was a pen test last week and the the pen testers used the do so that's probably what we're seeing here today and it's like well what is the do you know you're kind of using abbreviations that maybe the the mass audience you know would you see it ciso

know what the do is maybe maybe not but you want to write your notes in a fashion that everybody could read them but the conclusion to that alert was well something happened last week so that probably affected this alert this week why how did you come to that conclusion what facts give you that conclusion there was no facts in that so here's a picture it's ai generated it's a little trick you shouldn't really be able to identify anything really be honest it's just garbage but something like this an analyst might take that say hey that's some guy's room and that's the backpack and he's got a mess in there that's at some guy's room that's their feelings about this this

picture those aren't facts now a tedious fact might be in the bottom left hand corner there's a white brown patch that's 1 8 of the whole picture or 1 16. that's very tedious but it's more factual than your feelings that this is some guy's room and that's a backpack so be aware of when you're adding feelings to your notes you really want to make be it subjective objective it's a subject so final exam now you took notes on that picture you spent two minutes looking at the more you know the average time is 30 seconds so you spent more than the average person does on a typical pain can you identify the pitcher that you were looking at for two minutes

don't say anything i give some people some time if you're able to pick the top right one it's a good job but the notes that you what why is there a bridge over our pond great question maybe you can try to do some research

yeah um but now think about the notes that you took on that painting they might have helped you identify which pain this was but taking those notes could you give those to somebody that is not in this class today and would they be able to pick out the painting

when we're working alerts when we're looking tickets there's a lot of information a lot of details goes into it and our job as an analyst is to provide kind of that story that conclusion enough information that maybe a high higher up manager ciso can look at those notes and understand what is transpiring here

now think of your notes at the very beginning how many questions did you ask did you try to change your perspective on things at all did you even think about changing your perspective asking for help what did your notes look like were they structured in a fashion that you know a critical piece of information is that top was there feelings in your notes

so one of the things why amy herrmann uses in her book visual intelligence she talks about using art the idea behind using art versus getting into a sim or looking at edr alerts all day is that art is available to everybody you can walk out this door there's art you can go to a museum there's art of course on your phone there's apps for for art and what i suggest to do if you are interested in being an analyst or cultivating these skills is take five minutes look at a piece of artwork for five minutes go through these steps ask these questions analyze it write your notes in such a fashion that you know you're putting the

critical information you're putting details not your feelings into the notes and over time you'll just become second nature and then when you do work out of a system you have a methodology you know i see pen testers they always talk about the methodology that they use there's a structure behind what they do there's a reason if they immediately try to go in and just try to use a vulnera you know exploit against a web server they don't really know about how likely are they to succeed very very seldom so you need to do the steps the methodology work through it and you'll get better so just to reiterate slow the process down ask those questions

change your perspective either from asking somebody else looking at other security systems make sure you organize your notes in such a way that there is some kind of structure maybe critical to to informational and then make sure that they're written in such a fashion that anybody could read those and any questions i'm an art professor at a certain local college oh okay so really appreciate this talk um as an art professor for 20 years it has been um my experience that it's been very very difficult to maintain the necessity of art education in the liberal arts general education to the point where they keep taking away our courses and having math and science while very

very important the ability to analyze pay attention scrutinize is so critical and made a very clear point of how important it is for that for a practical reason and uh when i go to faculty meetings for years and years and i'm asking what my discipline is and mine is in the design area in particular but i'm usually greeted with well that's nice as if we're like that you know the wallpaper grandmas used to put around the wall as it's an ephemeral um luxury that's not necessary uh to our abilities and uh so this is a really nice topic it's one of the skills that i see as analysts you know they'll come in and they'll be very technical very technical

to the point where i'm like yeah you're just in the security analyst role to then pivot to another engineering uh pen testing malware analysis you're just you know this is just a a pivot point for you clearly but this is the same person that will say they know exactly what sharp hound is which is a malicious tool that attacker might use and they go it's blocked we're good move on to the next ticket and they won't ask those extra questions right they just know that the systems did their job and they won't go any further and that's where i try to instill to analysts like ask those questions push forward and you know artwork seems to be

a way that it can relate to everybody so even if you're new in the field you can look at art like you don't need to necessarily be a technical person to see that you go in grad school we were showing you several articles by behavior psychologists who were using eye tracking technology to analyze the way different people looked at different images and normal people non-art people yeah uh when they saw a certain specific image like as a woman in a pool uh the eye tracking software showed that most people were just looking at the the woman uh all anything else that was considered um superfluous was ignored and the eye attracted but artists or people had who had significant art

training they scanned the whole image their eyes went back and forth back and forth and looked at the things that other people discarded as or ignored as as superfluous that's why i tell my students artists tend to be a bit weird because we notice all the other things that other people would know and we're trained to do so uh but that's that's our place in society you know i wish more more analysts would take our classes because there's a lot of skills that you know i growing up i never i wasn't interested in art i had to take an art class in college you know i did it i moved on it wasn't until later in a career it's like

wow and you you start you start taking those five minutes actually looking at a piece of artwork you'll be amazed on what like we looked at the mona lisa you start to realize how in-depth that can really be if you take five minutes and look at that it's unbelievable and it's the same with security alerts you can quickly make an analysis but if you take a time and well what you know we see one alert from that server well what other alerts are there around that and you start to like oh there's there's more to this than just one alert so thank you for sharing appreciate that any other questions all right visual intelligence by amy herman

she just came out with another one about problem solving she talks a little bit about using pictures artwork for problem solving as well i still say visual intelligence book is the book to get especially if you're interested in this field yes your attention to detail reminded me of cliff stole and the coop mosaic because yes because he was like interested in a 78 discrepancy and bill or something like that something that everyone else just said to me that doesn't mean yeah but that's it happens all the time just ignore some of the facts and it could be uh all right my time is please drop what you're doing one of the best books ever all right i'm gonna wrap up i don't know

if there's anybody ready to come in but thank you guys [Applause] you