Start with Connected Dots
Okay, back to reality now. Given the space and time in which our previously discussed drive-by shooting occurred, using deductive reasoning, and based on training and experience, a detective would surmise this was in fact a singular incident and not fifty-nine different crimes. This is simply a case in which one car drove by and one person fired one thirty-round magazine from a semi-automatic rifle at one victim and fled the scene. We would know that the intended victim was either in the car or lives at the house. The fence was just an innocent victim. We would group and view all the evidence together and treat it as a single incident. In so doing, we reduce the noise.
What allows us to assume this is the “investigative mind-set?” What is the totality of the circumstances, and how does the pertinent evidence support the assumptions needed to develop an investigative strategy? Critical to this mind-set is connecting the evidence you have and looking for the resulting patterns. Losing sight of this for the sake of being singular focused on data mining will result in becoming so focused on the “dots” themselves that you don’t see the connections between them.
Grouping Evidence = Reducing the Noise
Good detective work requires noise reduction just like good InfoSec work does. The goal in detective work is to reduce the noise surrounding an investigation and in so doing only focus on the facts that are pertinent and can be proven in court. An additional level of complexity lies in not only determining which facts are of evidentiary value but also determining the truth, the whole truth and nothing but the truth. That truth must then be proven in front of a judge and jury.
Almost every homicide detective has had at least one case in which he knew who the suspect was, but the evidence available did not raise to the level of “beyond the shadow of a doubt.”
The challenge in information security is the same: does all the data surrounding hundreds of alerts and alarms actually contain pertinent evidence that proves a threat or vulnerability actually exists? What data should I ignore and what data should consider to be evidence? What is noise and what is not?
So in the drive-by example, we can group all the evidence into a single investigation for just one detective to handle. Evidence can be processed more discriminately and the photo unit need only come out once. Only one detective is working the case and only one suspect will be sought.
By viewing this case through a single lens, that of a single detective, we can better understand the relationship between each piece of evidence. We will also reduce the amount of effort put into the investigation, reduce the number of people involved, more quickly determine what occurred and most importantly, figure who did it. If a series of crimes have unique modus operandi, or MO, that information is useless unless we know to whom the MO belongs. We might be able to say with some certainty that these five or six crimes were committed by the same person, but unless we identify that person, that information is useless. Our bad guy will continue to commit those crimes unless we identify him and arrest him. Solving the one case, or series of cases, prevents new cases from occurring. That is what is not happening in InfoSec.
Putting the Puzzle Together
By determining the MO of one person and assign all related cases to only one detective we further reduce the noise. In the serial murder example, this means that we don’t assign a new detective for each new case. One detective handles one MO. Also by identifying the MO, we can take proactive steps to prevent the suspect from attacking again; we need not be reactive.
To use a puzzle as an analogy; corner pieces allow us to set context; border pieces further refine our understanding and help set strategy for solving the case. In the next installment, I will build on the puzzle analogy and propose how we might start to get ahead of the bad guys.
This is part 4 of a 5 post series. To read the other posts, please see the links below: