Communications networks within organizations are frequently targets of malicious attacks from both within the organization and outside of it. For example, a recently terminated employee of such an organization may use his knowledge of the network to improperly acquire electronic resources from an internal server. In another example, an external hacker may use phishing techniques to lure an unwitting employee to allow the hacker access to electronic resources belonging to the organization via the network.
Such organizations employ technologies such as security incident and event management (SIEM) and data loss prevention (DLP) to help pinpoint unusual activities that may be a signature of a malicious attack. For example, an organization may use a SIEM solution such as enVision from EMC, Inc. of Hopkinton, Mass., to generate reports of unusual activity within the network as determined from various factors such as historical patterns, device characteristics, and the like.
The reports generated from such technologies may form the basis for conventional investigations into specific security problems. For example, a security analyst may use such a report as the basis for an investigation into whether unauthorized users have accessed a privileged shared account. In carrying out the investigation, the security analyst may manually examine the report, or write scripts to automate certain aspects of analyzing the report.