Analysts and investigators find common ground in cyberthreat intelligence
When I was a child, I asked my father why cats and dogs don’t play together. In his typical blunt style, he responded, “Because they are just different. They may look similar but rarely will you see them walking down the street together.”
Much later in life, after I began working in the military, intelligence and law enforcement communities, I remembered the question I had asked my father many years before. Within these communities are two groups: the analyst and the investigator. And like cats and dogs, they share many similarities but one critical difference—the language they speak.
While both groups share the goal of disrupting and preventing crime, their contributions to this goal come from various approaches. In other words, they coexist but traditionally have worked with limited interaction as they analyze crime through different lenses.
The difference between cats and dogs
- The Intelligence Analyst (cat): These academic people are generally aloof but cunning. Plus, they’re happy to take the work of other analysts and make it their own. They view things hypothetically and regard their immediate tasks more predictively instead of looking back in hindsight.
- The Investigator (dog): Being practical, these persons prefer a dark workspace with clutter and accolades on the wall. They’re usually methodical and tend to see things in black and white. Also, they’re driven to leave no stone unturned while seeking facts, uncovering patterns and sniffing out the trails of wrongdoers. They live in the past with the intent of catching people before they do the same action again.
With complex threats becoming common, it is my view that the proximity in which both groups are forced to work—the “off-leash” area—is much closer now than each would prefer. However, analysts and investigators need to find common ground now, more than ever.
Working together to extinguish cyberattacks
Governments and the private sector are under a continuous cloud of cyberthreats. The methods by which threats are established and executed today are planned by nefarious, unwitting people both inside and outside institutions. For example, they can take advantage of vulnerable internal systems that communicate with external ones—and can fashion a plan to break into sensitive areas. Regardless of the attack vector, the digital exhaust is ever-present but hidden in seemingly disconnected data sets. These trails are awash in huge masses of data yet are identifiable in many different, faint and mainly unconnected ways.
Individually, the analysts’ methods using predictive intelligence, and the investigators’ approach to known or flagged events, have failed to find, attribute and react to or prepare for cyberattacks. Therefore, it makes sense to combine the two as a mutually supporting approach.
So where does IBM come into this?
The IBM i2 Enterprise Insight Analysis (EIA) platform lets analysts and investigators be who they are—cats and dogs playing together. The functionality of EIA enables them to apply and share their two unique methods. This joint interactive approach shrinks the gaps between the two groups.
Regarding cyberthreat detection and resilience, cyberdata and fraud data can coexist, as well as open source and restricted source information. Although their individual business functions may remain intact, analysts and investigators must know as much as possible about the threat, method and intent of cyberattacks. With this knowledge, these two groups can quickly ensure a timely response by any organization that requires it.