To Hear What You Need, Stop Listening To Everything

Posted on 4 May 2011 by


Information Overload

Twenty years ago, the problem with intelligence analysis was that you had to work really hard for every nugget of data and information you got to analyze, and in lieu of hard data, make inferences from things like socks in the dryer and tingles up your spine. Today there is such an embarrassment of data out there that we have a hard time keeping up with the deluge.

As intelligence-led policing becomes increasingly mainstream, in the explosion of sources of information from the government, the Internet, social media and new technology products, analysts find themselves literally overwhelmed by data.

Therein lies the contemporary crime and intelligence analyst’s dilemma: tons of stuff to listen to is great, but the trick is finding the right subset of “everything” to support your specific intelligence mission. And then, only monitor that.

I was discussing this with my friends Rocky DeStefano, a former US Air Force intelligence guy who currently works at the vendor NetWitness, and Will Gragido, a former US Marine intelligence guy who currently works at HP TippingPoint Security. The conversation was so wide ranging that we decided to make it a podcast.

Why am I speaking with guys in the commercial business world? There are a few reasons. First, for the benefit of those who don’t know me, I’ve been in that world for a long time, and was there until just before I jumped the fence and became a cop. I’m still a consultant on areas around intelligence and industrial data theft. So I’m comfortable having these conversations.

In fact, last week at the International Association of Crime Analysts Spring Symposium in Vancouver, Canada, I gave a presentation to present police crime analysts with detailed information about how private enterprises – particularly those in the financial services, energy and manufacturing sectors – view intelligence operations. You can download the presentation here.

Second, Rocky and Will have been on the front lines, literally, of America’s cyber war, and have risked their lives, literally, in defense of our country. That gives them legit sheepdog credibility despite their current private sector status. It also means that they’re really good at their jobs.

Third, there are tons of parallels between how large private enterprises and law enforcement agencies should be looking at intelligence. It’s just that at the moment, private enterprises have the money to do it, and local law enforcement agencies don’t think that they do*.

It is not well discussed, but in the United States large company networks, websites and critical infrastructure are under cyber-attack 24 hours a day, 365 days a year – by nation-state-sponsored groups, by criminal gangs and by individual criminal hackers.

At a recent security conference, the head of security for a big infrastructure firm told me the way he stopped his phone from ringing at 3am: he made his phone not ringing at 3am the metric for success of a guy he hired. That’s a clever way of coping with the issue, but the fact that such a regime was created at all tells me that someone is always being awakened at 3am to learn of a crime in progress or one that has just occured.

I’ll bet that sounds familiar. Tell me if this does, too: for years, enterprise security people monitored all network attacks, trying to determine where they were coming from and where they were headed. Then they realized they were playing endless cycles of whack-a-mole, and started to look at ways to get smarter. They began merging strategic and tactical intelligence assets.

The best companies out there – and by “best” I mean those which have embraced intelligence in the lifecycle of how they defend themselves – have reimagined the way they respond. They began by looking at incidents that have occurred and modeling them. At a really high level, this is saying, “First this happened, then this happened, then this happened,” etc, until they have a good model of the entire incident.

Then they compare other incidents against the model to tweak the model and get it right. Then they compared this model to their defensive infrastructure.

And discovered that they were defending against the wrong things.

Then these organizations redesigned their entire defensive infrastructure. Now they’re in a position to do more. So they start to look for attribution. That is, they start saying, “Who, specifically, is messing with our stuff?”

What, they ask themselves, are the indicators that can combine to help us discover – internally or while working with law enforcement – and assign attribution?

And, if we have attribution, can we make it predictive? That is to say, if X is true, what do we expect will happen next?

Several local law enforcement agencies have done almost the same thing, but in different ways. There are challenges beyond the budgetary.

The datasets they’re dealing with, for example, are somewhat more problematic than those in cyber defense. In law enforcement, we generally don’t have the benefit of “normalized” data, and the systems producing data and information don’t speak with one another well, if at all. And generally speaking, law enforcement intelligence and information and data requires far greater human correlation and analysis than in information technology.

But it absolutely can be done. How do I know that?

I know that because it’s being done now.

* Future blog posts and podcasts will explore in great detail the money thing, from using intelligence to write better grant applications to making the bad guys pay for our toys using asset forfeiture and other methods.