Using Security Event Logs to Predict a Potential Breach

Moving on from my previous two blogs on log files, my mysterious log file benefactor then showed me how using the right techniques, I could then use information within log files to predict a potential security breach.

So now rather than just using log files for forensics or alarm systems, I can then use trend analysis to predict a potential attack vector before it even occurs.

The most obvious example of this is that if we know the highly secure administrator account has failed to log in on several machines – it is highly likely that an attack on the administrator account is occurring. A more subtle version of using security event logs for predictive analysis is if we use the Windows operating system and detect a certain sequence of services starting up and shutting down and we know that whenever this sequence occurs, some component vital to our network will also be affected.