6 principles to get a macro view for the IC
From IC Insider Siren
By John Randles, CEO of Siren
As we enter 2021 there is a lot of uncertainty in the air. We are in the midst of a 3rd wave of Covid-19, with great promises for vaccine roll out yes, but still much work to do. The certainties about our supply chains have been rocked by the SolarWinds breach. The term Hybrid Threats is becoming more and more in vogue looking at conventional and unconventional threats from state & non-state actors.
What does this mean for the Intelligence Community and the way it analyses information? Coincidence or not? Are related events being planned, or just all happening independently at the same time? When looking at multiple events it is really important to understand if they are related and orchestrated, or if they are pure coincidences. And this must be done across very broad, previously unrelated areas of interest. What we are seeing is the need for broad event correlation for analysts across multiple disciplines.
In the past analysts concentrated on correlations at the application / department level. If I am a cyber analyst, I am typically looking at what my SIEM tells me in detecting correlations in my cyber threat world. If I am looking at terrorist financing, I am primarily looking at data in the financial domain. When I am tracking those on a watch list, I am focused on location and signals data primarily. If I’m looking for emerging threats I may concentrate exclusively on open source investigations etc. Typically, very deep analysis, but also siloed in nature.
In the past these were separate areas of interest. It was correlations within the domain. Primarily siloed investigations look at my domain and my domain only. Not because the analyst didn’t want to look across domains but the technology and organisation has been set up in this way.
The nature of the world in 2021 requires that we look for correlations at the highest, macro level possible. We need to see things as they are, not as the threat actors want us to see things. The correlations could be very subtle across misinformation operations, cyber threats, physical operations etc. but they can contain huge insight when found.
It is the job of the analyst, regardless of specialist area, to take this macro view. And the correlations may not be obvious. Unearthing what could be a coincidence or a concerted effort to conceal efforts across multiple domains. How do misinformation operations relate to cyber attacks and relate to compromises on the critical infrastructure supply chain? Having a broad view of linkages, relationships, or related timelines, will lead to turning what may seem like coincidences into true event correlations, evidenced by true events.
It could be argued that the solution providers to the Law Enforcement & Intelligence market are responsible for this siloed thinking as well. For example, there are a huge number of vendors in the Cyber Security domain, but how many of these cyber security vendors also operate comfortably across OSINT, SIGINT, Law Enforcement etc? They are magnificent vendors in the world of cyber security, but this lack of the big picture correlations often causes the obvious to be missed and opens the door to unnecessary threats.
As we think of the scale of the challenge, we at Siren think there are 6 key guiding principles needed when looking at event correlation at a macro level. The 6 key principles the Intelligence Community should be aware of are:
- Big Data capable: Spotting correlations across domains is fundamentally a Big Data challenge and should be first and foremost in your thinking.
- Search on structured and unstructured data: The system should be search focused and deal just as well with structured and unstructured data. Batch or streaming data support is also essential.
- Correlations across Big Data: At the heart of such a platform needs to be Big Data joins and correlations. This will enable the non-obvious to become obvious and for the analyst visualised events in a human readable knowledge graph.
- Analyst usability and visualization: Simplicity should be at the core of the platform to allow as many analysts as possible to interact with, question and draw conclusions from the data. And with the ability to navigate easily and intuitively, run hypothesis locally, disseminate intelligence in a structured fashion and to enhance collaboration.
- Domain agnostic and domain aware: We believe systems need to be agonistic enough to deal with all data in all domains but be domain aware in major areas of investigation. Domain models, for example in SIGINT, OSINT & Cyber are critical.
- AI at the core: The human analyst is no longer on their own. The machine, we believe, is not taking over but is certainly there to help. To make suggestions of classifications of data, anomalies, resolving entities, alerting to threats. AI is your friend. AI is not replacing the analyst but Augmenting the Analyst
As the world becomes more and more complicated the need for agility and connected dots is getting greater. The need for us all to be on our toes and aware of the unseen threat is essential.
Looking at the world in this way is no longer a desktop job. And it can’t be the never-ending large-scale project with stratospheric budgets. Adversaries love us to take both of these approaches as they are so ineffective in the current climate. They either make the lenses on the problem too small or the project is so large and unwieldy you never get to ask the relevant question.
They were built for the last generation of adversary, a different time and more obvious challenges.
To discuss these principles and to see them in action we’d love to engage with you in the Intelligence Community to collaborate and make the nation safer.
Siren provides the leading Investigative Intelligence platform to some of the world’s largest and most complex organizations for Investigative Intelligence on their data. Rooted in academic R&D in information retrieval, distributed computing and knowledge representation, the Siren platform provides integrated investigative intelligence combining previously disconnected capability of search, business intelligence, link analysis and big data operational logging and alerting.
Among Siren awards are Technology Innovation of the Year and the Irish Startup of the Year (Ireland’s National Tech Excellence awards). In 2020, Siren was named as a Gartner Cool Vendor in an Analytics and Data Science Report. For more information, visit www.siren.io.
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.